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Storage. Speed. Stability. 


In order to achieve maximum performance, the TrueNAS™ 


Pro 2U and 4U Systems, equipped with the Intel® Xeon® 


Processor 5600 Series, support Fusion-io’s Flash Memory 
cards and 10GbE Network Cards. Titan TrueNAS™ Pro 2U and 
4U Appliances are an excellent storage solution for video 
streaming, file hosting, virtualization, and more. Paired with 
optional JBOD expansion units, the TrueNAS™ Pro Systems 


offer excellent capacity at an affordable price. 
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for Maximum Data Security 

Up to 14.08TB of Fusion-io Flash 
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I’m presenting you.with the newestissue of BSD 
magazine: Protecting dynamic websitesiin FreeBSD. 


We warm up with Darrel Levitch article about 
insalling and configuring DNSSEC for small networks 
using Unbound. 


Then we move on to the Developers Corner, which is 
very PC-BSD oriented this month — with two articles 
written by. Kris Moore and Dru Lavigne. You will 
learn how to easily update your PC-BSD and how to 
backup it to FreeNAS with-LifePreserver. 

We also couldn't miss news from DragonflyBSD 
project — provided by Justin Sherrill. 


How Tos first article is our cover story written by 
Stavros Shaeles — his tutorial will guide us step by 
step and show how to install and configure various 
applications to successfully protect our dynamic 
websites from various attacks. 

It is followed by Sufyan bin Uzayr and his article 
explaining how to tune and optimize MySQL 
databases for best performance, and Alexei Malinin 
who describes his work with OpenBSD consoles for 
AMD/Intel PC’s. 


After that Michael Bushkov will show us some 

tricks of how we can use our video and audio using 
VideoLAN command line interface. 

In the last article, written by Svetoslav Chukov, we 
will take a look at NetBSD Intrusion Detection Server. 


| hope you will find this issue to be both interesting 
and educating. Remember we always await your 
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Get Started 


OG DNSSEC resolution and IPv6 Unbound 
on FreeBSD 8.2 
Darrel Levitch 
Unbound runs on FreeBSD, OpenBSD, NetBSD, Linux, 
and Microsoft Windows. It provides a reasonably simple 
way to implement DNSSEC in a local-area network. With 
Unbound forward and reverse resolution is possible for 
small networks where IPv6 is implemented 


Developers Corner 
O08 08 Keeping up to date in PC-BSD 9 


Kris Moore 
Since the early days of PC-BSD, there has been various 
GUI mechanisms for performing critical system and 
security updates. 


10 Using Life Preserver to Backup a 
PC-BSD 9.0 System to FreeNAS™ 8.0.1 
Dru Lavigne 
This article demonstrates how to use the built-in 
Life Preserver program to backup a PC-BSD 9.0 
desktop system to a FreeNAS™ 8.0.1 NAS system. 
Users can refer to the Guides at http://wiki.pcbsd.org/ 
index.php/PC-BSD_9 Handbookandhttp:/doc.freenas.org 
for instructions on how to install PC-BSD and FreeNAS™. 


4G Recovering data with hammer 

Justin C. Sherrill 
We've all experienced instant regret. That’s the feeling that 
comes within a second of executing a command like ,rm - 
rf * txt” (note the space) or of cutting the wrong cluster of 
wires at the end of a long conduit. Not that | am quoting 
from experience, or anything like that, no... 


How Tos 


48 Apache?2, phps, mysql5, modsecurity2.5 
installation and configuration in order to 
protect dynamic websites from various 
attacks, in Freebsd 8.2 
Stavros N. Shaeles 

In the last years there is a tremendous increment in 

dynamic website and cms using php. A very large piece 


am 5 


of the market of this websites are served by Apache 
Webserver using Mysql as database basically in Unix 
systems. Also this tremendous increment of php in 
dynamic website and opensource cms like joomla 
increase and hackers attacks in order to compromise a 
website or hack the server to use it in botnet. So someone 
can wonder, is there anything that can protect my 
websites except from backups and upgrading our system 
and software? The answer Is yes. 


28 MySQL Unleashed! 

Sufyan bin Uzayr 
We explore some tips and tricks that you can use to gain 
better performance with MySQL 


3 4 Terminal Descriptions for OpenBSD 
AMD/Intel consoles 
Alexei Malinin 
In this article | would like to describe the results of my 
work of tuning OpenBSD consoles for AMD/Intel PCs. 
These results are also applicable to computers with the 
same hardware architecture (amd64 or i386, see http:// 
www.openbsd.org/plat.html): servers, — workstations, 
notebooks, etc. 


Tips and Tricks 


38 uae VideoLAN: 
earn what you can do with your video 
and audio using powerful VideoLAN 
command line interface 
Michael Bushkov 
Dealing with video and audio data is the part of our 
everyday life. Sometimes, though, we need to do things 
that fall into ,advanced” category. What tools should we 
use then? 


security 


4.9 NetBSD Intrusion Detection Server. How 
can we describe the functions of such a 
server? 

Svetoslav Chukov 

Sometimes special type of systems are needed to be 

running on the server. This server will serve different 

purposes, it will take care of the network security. 
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DNSSEC resolution and 


IPv6 


Unbound on FreeBSD 8.2 


Unbound runs on FreeBSD, OpenBSD, NetBSD, Linux, and 


Microsoft Windows. 


What you will learn... 
¢ how to install and configure DNSSEC for small networks 


implement DNSSEC in a local-area network. 
With Unbound forward and reverse resolution is 
possible for small networks where IPvé6 is implemented. 
You could modify this example installation against your 
network, and possibly have Unbound serving DNS on 
your network in a few hours. This example configures a 
authoritative, validating, recursive, and caching DNS server. 
Before installing the Unbound DNS validating resolver, 
it might be a good idea to have a recent version of 
OpenSSL from ports: 


nbound provides a reasonably simple way to 


# cd /usr/ports/security/openssl 


+ make install. clean 


| enabled ris =exrracror and scrp for the case that it might 
be interesting to use them sometime in the future. 
Next, install the resolver: 


eC, « 


# make install clean 


./../dns/unbound 


Even though Paul Vixie might disagree- | did not want 
to have much limitation on outgoing ports, so | enabled 
Lipevent. | did not think of a reason to enable rxrzaps or 
cost. If you have Python programming, perhaps you will 
enable PYTHON. 
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What you should know... 
¢ basic FreeBSD concepts 
¢ basic DNS concepts 


Before modifying the congiration file, get a copy of 
root.hints: 


# wget ftp://FTP.INTERNIC.NET/domain/named.cache -O \ 


/usr/local/etc/unbound/root.hints 


To use DNSSEC put a key file IN /usr/1local/etc/unbound 
and name it root.key. The file will contain one line: 


. IN DS 19036 8 2 \ 
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE3 
2F24E8FB5 


You can check for a more recent version at: 


nito?//dataviana. org/ root =anchors/ root-arnchors. xml, 


# chown unbound /usr/local/etc/unbound/root.key 


Before moving on to the Unbound configuration file, 
make some changes to FreeBSD. Technical example 
addressing is used in this example, so if you do not 
already have private IPv6 addresses, then search and 
study unique local addressing. Add to /etc/rc.conf: 


lps. enable="TEo” 


ipv6 ifconfig ethCard0="2001:0db8: :xxxx:xxxx:XXXX!XXXxX/32” 


unbound. enable="YES” 
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DNSSEC resolution and IPv6 


Listing 1. unbound.conf after modifications 


imver hace O72 077.2 

interface: ::1 

ZOMG SOG Oe 
IS a 

AO IZ 6 Oasis: 


outgoing-interface: 
CUECOMIG= OOCE-oemmit: 
CIOS Wel Ie 

nO 0e 2 0/26 eal low 
200M dbs 227 32) allow 


access -—conirol: 
acCeSsco come sole 
HOOE-Nints.—"/ ls) locally ere; inbound) toon. ints” 
hide-identity: yes 

hide-version: yes 

do-not-query-localhost: yes 

val-log-level: 2 

local-zone: "example.org." typetransparent 
iecal-—datas Noctel exanpleT@rG No 20 ie 
local-daca-pers £92. 0.2 1 hosp example, org: 
lecal—Cava:= Nose .examplesorg 2 1O7 0.22” 
hocaledaraapuc (97 27 host2. example. © 
local —carate Mosinee ,oxanplevorg Aalto 7.0273 
local=Caraapewse. U9220 2-3 hosts. example: org! 


local—cata: 


"hostl.example.org AAAA 2001:0db8::xxxx:xxxx:xXxxx:xxx1" 


local-data: “host3.example. 


YEacds 3003. 


Ihoteeil Clave oie 


lecall—dava—-prry) "2001 s0dbs: : xxxx: xxxx /xXxxx: xxx) hostel example ong” 
local-data: “hostZ2 examplesorg AAAA Z00120db8 2 xxxx>xxxx 2 xxxxixxxZ" 
Kocal-data-pers) = 200: Udo s > xxxx 5 xxxx | XxXxXx: xxxZ NOSEZ cxample. org” 


org, AANA 2001: 0dDS : ixxxx : XxXxx? Xxxx! Kxx3" 


Cu OO Oe KO OSes yexample ore. 


On the server change /etc/resolv.conf: 


For the hosts resolv.conf: 
2001 s0dbs = ieee see ee Pe 


From here, let us move on to the Unbound configuration 
file. The unbounais) Configuration file can be found in 
/usr/local/etc/unbound. Copy unbound.conf.sample to 
unbound.conf. Before actually using the file, the utility 
unbound-checkconf(s) Can be run to check for errors; e.g., 

6 unbound-checkconf 
unbound-checkconf: 


noc errors in f/usry local/etc/ unbound unbound, cont 
Next are the modifications to unbound.conf(5). Most of the 


default entries are left alone in this example. You could 
do some performance tweeking for your server. 
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Run unbound-checkconf 
Since we are using DNSSEC, run unbound-anchor (8s) before 
starting the server: 


# unbound-anchor -a ,/usr/local/etc/unbound/root.key” 


Type unbound or restart the server. 

Now, if you have configured some of your applications 
using IPv6 then the hostnames will be available; e.g., if 
you run ntp.org then the standard NTP query program 
will return hostnames instead of IPv6 addresses, which is 
very handy if you are looking at a terminal window. :) 

% ntpq -p 


DARREL 

Darrel is still recovering from a car crash and found that writing 
this article is not nearly as depressing as supineness. Due to a 
thunderstorm that began shortly after that sentence- the main 
thing keeping this article moving now is his uninterruptable 
power supply. 
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PC-BSD 9 


Since the early days of PC-BSD, there has been various GUI\ 
mechanisms for performing critical system and security upda 


PE3SD 


hile these tools were necessary, they were 
VV badly in need of an overhaul to provide 

traditional command-line functionality, along 
with mechanisms for performing a greater variety of 
update types. In the upcoming PC-BSD 9 the new 
pc-updatemanager Makes its debut, with many new features, 
pure command-line functionality and a streamlined GUI 
which makes desktop updating as painless as possible. 
First let us take a look at some of the functionality of this 
new tool from the command-line perspective. 

In PC-BSD 9, all upgrade functionality can now be 
performed via the console, using the commands freebsa- 
update, for system security advisories, and pc-updatemanager, 
for updates to packages, tools and major system versions. 
The former command, freebsd-update IS included within 
the FreeBSD base operating system, and can now be 
safely used to perform security updates to the underlying 
operating system kernel and world environment. PC- 
BSD has always shipped with a default FreeBSD world 
environment, but starting in 9 it will include the GENERIC 
kernel as well, allowing freebsd-update to manage the 
full spectrum of security updates. More information on 
the usage of this built-in command can be found in the 
FreeBSD handbook below: http:/,www.freebsd.org/doc/ 
handbook/updating-freebsdupdate.html. 
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Keeping up to date 


The pc-updatemanager command is unique to PC-BSD 9, 
and provides a few easy to use commands which can be 
used to check for, and install several different types of 
updates. To start checking for updates, the first command 
to run Is: 


# pc-updatemanager check 


This command will connect to the PC-BSD update server 
and fetch the latest digitally signed patch data for your 
specific version / architecture. If no updates are found, 
or your system is already updated then the command will 
exit with a message to that effect. If an update is found, 
then another message with details about the available 
update will be printed, as shown in the example below: 


# pc-updatemanager check 


The following updates are available: 
NAME: System Update to 9.0-BETA2 
SYSUPDATE 

VERSION: 9. 0=Bianer 

2011-0 Sis 

release-9.0Q-BETAZ 


TYPES 


DATE: 
TAG: 
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PC-BSD’s New Control Panel 
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e run ,pc-updatemanager install 


release-9.0-BETA2” 


/ a single update has been found, 
1e system (in this case one running 
TA2. The command to start the 
Ss always printed at the end of the 
king it easy for the user to immediately 
fe process. Most updates are small 
san be downloaded and installed in only a 
without a reboot. Usually this will be simply 
id updating a particular package, such as the 
NVIDIA driver, or some newer version of a PC- 
) utility with important bug fixes. In this example we 
will look at a more complex update of the entire operating 
system to a newer release. 

By starting the update in the example above, the 
pc-updatemanager Would first begin by analyzing the system 
configuration and determining which desktops / meta- 
pkgs are installed, such as KDE, GNOME, LXDE, NVIDIA 
drivers, etc. After building this list, the update manager 
will start downloading the newer packages for these 
components, along with a new FreeBSD world / kernel. 
Once all files are downloaded and checksums verified, 
the user will be prompted to reboot the system and begin 
the upgrade. After rebooting, the update manager will start 
by removing the users old system packages and installing 
the newer kernel / world environment. When done, the 
system will automatically reboot, and finish the update by 
installing the updated desktop / meta-pkgs. This process 
is entirely automated, and requires no interaction from 
the user, apart from rebooting the system to begin the 
update. This initial reboot is used to allow the user to finish 
working on their desktop, without the worry of a critical 
package being modified at a inconvenient moment. 


= Update Manager See = fe} 


Available Updates 


l Select / Deselect All 


© Rescan for Updates 


C) System Upgrade: 9.0-BETA2 (2011-09-10) 


install selected updates} 


Figure 1. Update GUI! for PC-BSD 9 
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While the pc-updatemanager IS Capable of handling a wide 
variety of update types, the configuration of it is relatively 
simple with only a few important options to take note of. 
Nearly all settings are stored in the main configuration 
file, /usr/local/etc/pebsd.conf. Some Common settings are 
listed below, with a brief description of each. In addition, 
all of these settings may also be set via the GUls in the 
PC-BSD control panel, allowing users uncomfortable with 
the command-line to customize with only a few clicks. 


# Mirror for System Updates / Meta-Pkgs 
PCBSD MIRROR: ftp: //ftpa@ee amemegy pUD/Mirror 


# Proxy Server URL 
PCBSD PROXYURL: http://proxy.example.org 


# Proxy Server Port 


PCBSD PROXYPOR Tease ie 


# Proxy Username 


PCBSD_ PROXYUSE Ream 


# Proxy Password 


PCBSD_ PROXYPASS =: "examiaaee 


At the moment the only settings normally adjusted 
are the ones shown above, such as changing the 
default mirror server, or adjusting the system to use a 
proxy server for connectivity. These can also be set 
in the System Manager and Network Manager GUI’s 
respectively. 

We've taken a look at the command-line functionality 
of the new pc-updatemanager, Dut for most desktop users a 
GUI solution is often the only viable one. In 9.0 the GUI 
tools have been slimmed down and streamlined into a 
single interface which can perform updates from both the 
pc-updatemanager and freebsd-update CLI backends. 

With both a fully command-line driven backend, and 
easy to use front-end PC-BSD has never been easier 
to keep up to date with the latest security patches and 
versions. Administrators also have a new degree of 
control, by being able to disable the GUI entirely via sudo, 
and perform updates via the command-line transparent to 
the desktop user. 


KRIS MOORE 

Kris Moore is the founder and lead developer of PC-BSD. He 
lives with his wife and four children in East Tennessee (USA), 
and enjoys building custom PC’s and gaming in his (limited) 
spare time. kris@pcbsd.org 
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Using Life Preserver 


to Backup a PC-BSD 9.0 System to FreeNAS™ 8.0. 
This article demonstrates how to use the built-in Life Presé 
program to backup a PC-BSD 9.0 desktop system to a Free 
NAS system. Users can refer to the Guides at http://wiki.pch 
index.php/PC-BSD_9 Handbook and http://doc.freenas.org ft 
instructions on how to install PC-BSD and FreeNAS™. 


What you will learn... 
- how to create an automated backup solution 


to make it easy for a desktop user to back up their 
home directory to another computer or storage 
appliance using rsync and SSH. Once a full backup has 
been created, rsync will only send the files that have 
changed since the last backup to the backup device. The 


} C-BSD provides a graphical Life Preserver utility 


backups 
7 ada0 (1.07B) |<] 


<4 adal (1 ara) 
4) ada2 (1 OTB) | 
<4 ada3 (1.0TB)} 


ea 
Filesystem type os 


Force 4096 bytes sector size 
mirro! 
©) stripe 
Group type raid3 
RAID-Z 
RAID-Z2 


Add Volume | 
Existing data will be cleared Cancel 


Figure 1. Create a ZFS Volume+ 
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What you should know... 
¢« how to install PC-BSD and FreeNAS™ 


data is protected while being transferred over the network 
due to the encryption provided by SSH. 


Configure FreeNAS™ 

In order to prepare the FreeNAS™ system to store the 
backups created by Life Preserver, you will need to: 
create a dataset to store the user’s backup, create a user 
account that has permission to access that dataset, and 
enable the SSH and rsync services. 


iG FreeNAS 


Figure 2. Creating a Dataset from a ZFS Volume 
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PC-BSD’s New Control Panel 


Create ZFS Dataset 


Volume fram which this dataset 
will be created on: backups 
Dataset Name: dru 


Compression level: Inherit) 


« (fo) Inherit 
Enable atime: . On 
Off 


Quota for this dataset: | 2006| | 


Quota for this dataset and all 
children: 


Reserved space for this dataset: 0 


Reserved space for this dataset 
and all children: 


| Add Dataset | | Cancel | 


3. Creating a ZFS Dataset 


Create a Dataset 

In ZFS terminology, a dataset is a portion of a ZFS 
volume. Datasets allow you to create a storage area for 
an individual user; datasets also allow you to configure 
compression and a storage quota on a per dataset basis. 
Users will only see the data on their own dataset and are 
restricted to the disk space that you configure for the 
dataset. 

Before you can create a dataset, you must first create a 
ZFS volume. In the FreeNAS™ 8.0.1 web administration 
interface, go to Storage->Volumes->Add Volume. As 
seen in Figure 1, the available (unformatted) disks will be 
listed. 

In this example, the FreeNAS™ system has four 1TB 
drives. If | select to create a ZFS stripe using all four 
drives, the resulting volume will have the maximum 
storage capacity (~3.6TB) but will not have any 
redundancy (if one drive fails, the entire volume fails). If | 
select to create a ZFS RAIDZ1, the resulting volume will 
provide redundancy (can survive the failure of one disk), 
but will have reduced storage capacity (~2.8 TB) due to 
the parity information. | have chosen to create a ZFS 


Figure 4. Creating a User Account 
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Figure 5. Viewing a Dataset’s Permissions 


stripe named backups. Once the volume is created, it will 
appear in Storage-> Volumes->View all Volumes, as seen 
in Figure 2. 

Click the icon Create ZFS Dataset to see the screen 
shown in Figure 3. In this example, a dataset named dru 
was created with a disk quota of 200GB. If your network 
contains multiple PC-BSD desktops or if several users 
share the PC-BSD system, create a dataset for each user. 
You can make as many datasets as you wish, assuming 
that free disk space still exists on the ZFS volume. 

If you choose to use quotas, be sure to give the dataset 
sufficient space to store a full backup and the amount of 
incremental backups that you will schedule (e.g. a week’s 
or a month's worth of daily backups). 


Create a User 

Once you have created the dataset, create a user account 
to associate with each dataset. To create a user account, 
go to Account->Users->Add User. In the example shown 
in Figure 4, a user account has been created for dru. 


IMPORTANT 

Change the Home Directory to the full pathname of the 

dataset for this user; in this example it is /mnt/packups/dru. 
lf you are configuring backups for several users, create 

a user account for each user, being sure to give each user 

their own dataset as their home directory. 


— 
ra 


) f » FreeNAS 


Netwcet Active Directery 
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Figure 6. Enable the Rsync and SSH Services 
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, " Remote Device 
Server information 


Host Name [192.168.2.7 
User Name [dru 
SSH Port [22 “al 


Note: The remote server should be running SSH and have rsync 


installed. 


< Back [[ net >] Cancel | 


Figure 7. /nput the IP Address and Username 


You can verify that the dataset’s permissions are correct by 
going to Storage->Volumes->View All Volumes and clicking 
the Change Permissions icon (third from the left). In the 
example shown in Figure 5, the user dru has permission 
to the dataset; this was automatically configured when the 
dataset path was selected as the user's home directory. 
Depending upon your needs, you may wish to remove the 
read permissions for group and other; note that this will not 
affect the superuser’s ability to read the files in the backup. 
Do not change the type of ACL (keep it at Unix). 


To enable the rsync and SSH services on FreeNAS™, go 
to Services->Control Services. Click the red OFF button 
next to Rsync. After a second or so, it will change to a blue 
ON , indicating that the service has been enabled. Repeat 
for the SSH service. 


- Scheduled Backups 
@ |Disable automatic backups| 
© Backup daily 
( Backup weekly 


< Back |L_vee> Cancel 


Figure 8. Select the Backup Schedule 


‘m= set 


Preparing to setup SSH key authorization... 
Mhen prompted, enter your password for dru@192,168,2,7 

The authenticity of host '192.168.2.7 (192.168.2.7)" can't be established, 
RSA key Fingerprint is ldtaataf:fd:12:75:21:?otaat2btbetactSc:88:ed:28. 
fre you sure you want to continue connecting (yes/no)? yes 

Warning: Permanently added '192,168.2.7' (RSA) to the list of known hosts, 
dru@192,16,2.7"s password: §f 


Figure 9. Testing the Connection to the FreeNAS™ 


In version 9.0 of PC-BSD, Life Preserver appear 


an icon in the system tray. It can also be launched from 


Control Panel->Life Preserver. 

The first time you run Life Preserver, the Life Preserver 
Wizard will launch, indicating that you need to know the 
IP address and username/password to connect to the 
backup device. Click the Get Started button, then Next to 
see the screen shown in Figure 7. Input the IP address of 
the FreeNAS™ system and the name of the user account 
that you created and associated with a dataset. 

Click Next and select how often you would like the 
backup to occur, as seen in Figure 8. The default is to 
not create an automatic backup, meaning that you will 
perform the backup manually as needed. You can choose 
to instead automatically backup your home directory once 
a day or once a week. 

After making your selection, click Next then Finish. The 
Wizard will display a message indicating that it will test the 
connection to the FreeNAS™ system. Click Finish again 
and input the word yes and then the user's password 
when prompted, as seen in Figure 9. 

Once the connection is successful, the preserver (the 
configuration for the backup) will appear in the preservers 
list, as seen in Figure 10, with the following information: 


File Presenvers 


Backup Server__[last Backup 
ute] oS L6e. 7s Success lvi2l O8-16-L1 airy =, et rir 
Edit 
Restore From 


Remowe 


Figure 10. Daily Preserver with a Successful Backup 


Life-Preserver Settings 


Backup Options 


[7 J Number of backups to keep 
«| Retove incomplete or failed backups: 


ote >=) Ae 
Editing inchide bet 


Scheduled Backups 


Disable aufomatic backups 
f Backup dlaiby 
® Backup weakby 


Note: Plaase use full path names, wihdcards such ae * 
ate Supported 


Dk | Ed Cancel | 


— Remote Directory 


Modify Include List] Modiy Exclude List| 


isotope Edition 
reserver’s 


| Include List 


rver 
ndicate the user account and IP address of the 
ackup server. | 


Last Backup : 
Wil indicate whether or not th 
If you chose to automate k 
happen immediately. Other 
until you press the Start b 
takes depends upon the size 
the speed of your network. — 


ackup was successful. 
the first backup will 


ong the first backup 


Schedule | 
Will indicate disabled, daily, or we 
: 


Status | 
Running indicates that the | 
otherwise will show as no 

If you right-click the p 
edit the settings, restore fror 
configuration. | 


9 IS occurring now, 


you can choose to 
backup, or remove the 


The following backups are available: 
Available Backups 


back-2011-08-177T09 11 08 


back-2011-08-16T17_07_15 


Select Backup | 


Figure 12. List of Backups 
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BSD Certification 


The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


ES WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


© WHERE CAN | GET CERTIFIED? 


We’re pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@ WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 


List the files/dirs you wish to restore below, use commas 
for multiple files. Files must begin with ‘/’. 


| [ jusr/home/dru/Documents/ 


[ Restore Relative to specified directory 


Ri | ative Restore 


Restore | 


Figure 13. Choosing Which File or Directory to Restore 


Figure 11 shows the screen if you select Edit, as well as 
the screen if you also select Modify Include List. 

By default, Life Preserver makes a backup of the user’s 
home directory and stores the last 7 backups. If you wish 
to exclude files from your home directory or include files 
outside of your home directory, use the buttons to Modify 
Exclude List or Modify Include List. 


Restoring Files 

lf you choose the option Restore From, you will be 
presented with a list of the stored backups. In the example 
shown in Figure 12, the preserver is scheduled to backup 
daily and a backup exists for August 17 (back-2011-08- 
17r09 11 08) and August 16 (back-2011-08-16717_ 07 15). If 
| highlight the backup for August 17 and click Select 
Backup, I'll see the screen in Figure 13. In this example, 
I've chosen to restore my Documents directory. 

When doing a restore, give the full path to the file or 
directory. The full path will always begin with /usr/nome/ 
sUSERNAME/ Where you replace susername with the name of 
your user. 


Bi 


GU0eF ess? 


foal 


PORRs eee eeeneeewees; 


Figure 14. Using Krusader to Browse Backups 
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Using a Graphical File Manage 
Backups 
Since Life Preserver uses SSH 
and restores, users can use S§ 
scp, and sftp to view and copy 
lf you prefer to use a graphica 
line utility, there are several opt 
upon which desktop you are 
may not have a graphical utility t 
youre not sure, Krusader2 is ave 
and provides a dual-pane file mi 
understands sftp. ’ 
To access the FreeNAS™ “sia 
type sftp:/102.168.2.7 into the address bh 
panes, replacing the IP address with the” value. fo 
FreeNAS™ system. When the login ororneeae ap 
input the username and password of your user. 
Figure 14 shows a listing of the stored backups in the 
life-preserver directory of the left pane and the user’s 
home directory on their PC-BSD system in the right pane. 
lf you expand either a backup or current (a shortcut to 
the latest backup), you can navigate to usr/home/suszrR and 
view the contents of your user’s home directory. You can 
then highlight the files/directories that you wish to restore, 
right-click on the selection, click Copy, and the selection 
will be copied to the home directory on the PC-BSD 
system. 


Summary 

This article demonstrated how easy it is to backup a 
user's home directory to a FreeNAS™ system using PC- 
BSD’s built-in Life Preserver utility. It also demonstrated 
how to use the graphical Krusader utility to view backups 
and perform file and directory restores. 


DRU LAVIGNE 
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fecovering data wit 
lammer 


ve all experienced instant regret. That’s the feeling that 
omes within a second of executing a command like,,rm - 

f * txt” (note the space), or of cutting the wrong cluster of 
ires at the end of a long conduit. Not that | am quoting from 
2xperience, or anything like that, no... 


mashed the keyboard, but eithe 
the file is still present — just wronc¢ 
By default, the undo tool will 
the previous version of a file 
note about the timestamp fot 
last change, prefixed with >> 
Listing 1. 
Other options exist, like using 


Bammer, DragonFly’s default 
=a file system, can help with that. 
f Perhaps not with the cut wires, 
Jt with the loss of important files. 
{ammer will keep a record of the data 
anged every time a disk is synced, 
approximately every 30 seconds 
so file history is saved, under normal 
ircumstances. iterate over all pr 


Hammer also support versions save 
nat b ots, where disk, or wat 
: e of an entire generate a diff 


system is saved for if you delete th 
access later. Since It'll still work. 

s file history and snapshots only 

tains the changes to the data, it’s relatively sparse 

nd doesn’t eat much more storage space. 

These two aspects together mean that if you are going 

a mistake, doing it while on a Hammer-running 

rating system can make your life much easier. This 
icle contains some ,,case studies” of the various ways 

lammer fixes what you did wrong. 


ir P ole case: | scrambled a file 


The most simple case: you’ve scrambled a file. Maybe 
ou rewrote several lines and saved it, or accidentally 


| . 
16 | Dre > 


Recovering data with hammer 


More complicated: A lost file 

This is all fine when you still have the known location of 
the file, but what if it’s a month later, and you need one file 
out of hundreds in a directory? Manually retrieving each 
file and searching it would either be a large amount of 
labor, or some time writing an appropriate shell script. 

This is where snapshots come in. Hammer volumes 
automatically take snapshots, and do so by default on a 
daily basis, storing up to 60 days of snapshots. 

Snapshots are stored in disk meta-data, so they can be 
listed using the hammer command. See Listing 2. 

Each one of those unique transaction IDs 
points to this system’s /var as it looked 
at that date in time. The directory /var/ 
hammer contains links to the history of 
each Hammer pseudo-filesystem. Listing 
3 shows example contents for the usr 
directory in that setup. 

Notice that the default name 
on each of the transaction 
links shows the date of the D 
snapshot, so _ getting an ragon 
initial snapshot list may not 
even be necessary, 

It's possible to cd into the appropriate directory and 
perform operations as if it was a normal directory. It’s 
read-only, of course, since it’s a historical snapshot. 


Listing 2. Snapshot meta-data listing 


# hammer snapls /var 
Sieloslaioies Cia 4) veuc PFS #1 
ivansacth ion Dp 

Ox00000001b40cbf10 


0x00000001b421£f010 


Timestamp Note 
2011-06-21 03301506 2Dr = 
CONT MEAG a7 (015 NOME EIB ae 
[listing trimmed to save paper] 

0x00000001lbfelb6a0 AMMO cr ee 955 OLE IONS EIB am 
0x00000001c028a210 OU OOOO Oman a 


Listing 3: Automatic snapshots 


# Is /var/hammer/usr 

snap-20110622-0301 -> /usr/@@0x00000001b422f0£0 
snap-20110623-0301 -> /usr/@@0x00000001b4389140 
snap-20110624-0301 -> /usr/@@0x00000001b45050£0 
[again, trimmed to save paper] 
snap-20110818-0303 -> /usr/@@0x00000001bf£97cc30 
snap-20110819-0301 -> /usr/@@0x0000000lbfe1b820 
snap-20110820-0301 -> /usr/@@0x00000001c028a310 
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While this example shows automatic snapshots, 
possible to trigger snapshots at any arbitrary ti 


| 


For example, it’s possible to perform before-and-é 
comparisons when installing software, by taking 
snapshot before installation and just after, and then u: 
normal filesystem tools to compare the affected c 
areas afterwards. 


Really, really catastrophic recovery 
lf your Hammer filesystem becomes corrupt, perh 
due to bad disk firmware, there is a ‘hammer . 
command. This command looks for any f 
that can be reconstructed based on \ 
data is left on the disk, and rebuilds th 
Even if the metadata that outlines 


system is corrupted, the data itself | 
be still physically present and identifial 
It's even possible to take an ima 
Hammer volume and 
on a virtual machine, al 
Fl i. S [) ‘hammer recover’ the 
y rebuild data without risk 
further loss from physi 
disk activity, in a scen 
where the hardware is itself damaged and likel 
scramble itself further. 

Note that | didn’t say anything about a power outé 
Hammer is designed to survive sudden cuts of po\ 
Anything's possible in a power surge or loss, of 
but one of the initial tests for Hammer was sta 
intensive disk operations and then yanking power ft 
the running system, so some thought has been put i 
preventing power issues. 


Conclusion 
With Hammer, you can see every version of your 
that’s ever committed to disk, limited only by the Ham: 
settings and the available disk space. There’s a lot n 
possible with Hammer. Snapshots can be streamed 
other Hammer volumes over the network, for ren 
backup. Snapshots can be kept independently on th 
remote volumes, too... but that’s another article. 


JUSTIN C. SHERRILL 
Justin Sherrill has been publishing the DragonFly BSD Die 
since 2004, and is responsible for several other ; 
DragonFly that aren’t made out of code. He lives inthe n 
United States and works over a thousand feet underground. 
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HOW TO’S 


Apache2, php5, mysqlI5, modsecurity2.5 


5 installation and configuration in order to protect dynamic 
websites from various attacks, in Freebsd 8.2 


In the last years there is a tremendous increment in dynamic website and cms 
using php. A very large piece of the market of this websites are served by Apache 
Webserver using Mysql as database basically in Unix systems. Also this tremendous 
increment of php in dynamic website and opensource cms like joomla increase 
and hackers attacks in order to compromise a website or hack the server to use it 
in botnet. So someone can wonder, is there anything that can protect my websites 
except from backups and upgrading our system and software? The answer is yes. 


What you will learn... 

- Installing and configuring apache 2.2.x 

« Installing and configuring php5.3.x 

¢ Installing modules for php5 

¢ Installing and configuring MysqI5 

« Installing and configure mod_security 2.5 

- How to test your site for attacks like sql injection and Cross Site 
Scripting 


how to install apache2.2.X web server, php5.3.x and 

configure apache run php scripts in order to host 
dynamic website or CMS like Joomla in FreeBSD. | will 
also show the procedure to install mysql and phomyadmin 
in order to manage mysql database easily. Then we will 
secure apache web server from various attacks like XSS 
using modsecurity and finally we will install Joomla CMS 
and then trying some hacking on it to see if the web server 
is secured. First add 


n this article | am going to guide you step by step 


hostname="your.hostname.com” 


tO /etc/re.conf. 


Update ports tree 
#portsnap fetch 


lf you run portsnap for first time 
then use 


#portsnap extract 


An then 
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What you should know... 
« Installing Freebsd 8.2 

¢ Using vi or any Console editor 

« Basic unix command like mv, cp etc 
¢ Installing Joomla 1.7 CMS 

¢ Using phpmyadmin 


#portsnap update 


Else you can use portsnap update directly without first 
need to use command portsnap extract. 

Or you can uSé pkg ada Utility but | prefer using ports 
and compiling my packages instead using precompile 
packages. 


Installing portaudit 
Portaudit is a very nice utility that check install ports or 


ports that are going to be installed if are vulnerable. 


#cd /usr/ports/ports-mgmt/portaudit 


fmake inetal clean 
Reload shell commands 


#rehash 


Figure 1. Choosing apache modules to be installed > this will go in installing apache above modules 
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Update portaudit db to get new vurnerabilities 


#portaudit -F 


Installing apache 
Go to port directory 


#cd /usr/port/www/apache22 


#make install clean 


In the menu tha appears we can disable modules or 
enable modules that we will need. In this setup we are 
going to use the webserver to server websites not svn 
so | disable modules like moa dav because of some 
vulnerabilities. We enable or disable features using 
spacebar and tab to go to OK button (Figure 1). 


About modules 


mod access — Provides access control based on client 
hostname, IP address, or other characteristics of the 
client request. 

mod actions — This module provides for executing CGI 
scripts based on media type or request method. 

mod alias — Provides for mapping different parts of 
the host filesystem in the document tree and for URL 
redirection 

mod asis — Sends files that contain their own HTTP 
headers 

mod auth — User authentication using text files 

mod auth anon — Allows anonymous user access to 
authenticated areas 

mod auth  dbm— Provides for user authentication using 


DBM files 
mod auth digest — User authentication using MD5 
Digest Authentication. 


mod auth ldap — Allows an LDAP directory to be used 
to store the database for HTTP Basic authentication. 
mod autoindex — Generates directory indexes, auto- 
matically, similar to the Unix Is command or the 
Win32 dir shell command 

mod cache — Content cache keyed to URIs. 

mod cern meta — CERN httpd metafile semantics 

mod cgi — Execution of CGI scripts 

mod _cgia — Execution of CGI scripts using an external 
CGI daemon 

mod charset lite — Specify character set translation 
or recoding 

mod dav — Distributed Authoring and Versioning 
(WebDAV) functionality 

mod dav_ fs — filesystem provider for moa dav 
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mod deflate — Compress content before it is delivered 
to the client 

mod_dir — Provides for trailing slash redirects and 
serving directory index files 

mod disk cache — Content cache storage manager 
keyed to URIs 

mod dumpio — Dumps all I/O to error log as desired. 
mod echo — A simple echo server to illustrate protocol 
modules 

mod env — Modifies the environment which is passed 
to CGI scripts and SSI pages 

mod example — Illustrates the Apache module API 

mod expires — Generation of Expires and Cache- 
Control HTTP headers according to user-specified 
criteria 

mod ext filter — Pass the response body through an 
external program before delivery to the client 

mod file cache — Caches a static list of files in 
memory 

mod headers — Customization of HTTP request and 
response headers 

mod imap — Server-side imagemap processing 

mod include — Server-parsed html documents (Server 
Side Includes) 

mod info — Provides a comprehensive overview of the 
server configuration 

mod isapi — ISAPI Extensions within Apache for 
Windows 

mod i1ldap — LDAP connection pooling and result 
caching services for use by other LDAP modules 

mod log config — Logging of the requests made to the 
server 

mod log forensic — Forensic Logging of the requests 
made to the server 

mod logio — Logging of input and output bytes per 


request 
mod mem cache — Content cache keyed to URIs 
mod_mime — Associates the requested filename’s 


extensions with the files behavior (handlers and 
filters) and content (mime-type, language, character 
set and encoding) 

mod mime magic — Determines the MIME type of a file 
by looking at a few bytes of its contents 

mod negotiation — Provides for content negotiation 

mod nw ssl — Enable SSL encryption for NetWare 

mod proxy — HT TP/1.1 proxy/gateway server 

mod. proxy connect 

mod proxy extension forCONNECT request handling 
mod proxy _ ftp —- FTP support module for mod _ proxy 
mod proxy http — HTTP support module for moa _ 


proxy 
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License check disabled, port has not defined LICENSE * mod. userdiy = 
Found saved configuration for apache-2.2.19 . . 
httpd-2.2.19.tar.bz? doesn’t seem to exist in “usr/ports/distfiles“apache?2?. directories 
Attempting to fetch http: //muw.apache.orgdist/httpd-httpd-2.2.19.tar. bz? e 
httpd-2.2.19.tar. bz2 164% of 5197 kB 645 kBps 


User-specific 


ofl 
al 


se ee | 


mod usertrack — Clickstream 


===> Extracting for apache-?.2.19 
SHAZ5S6 Checksum OR for apache2?/httpd-2.2.19.tar.bz2. 


apache-2.2.19 depends on file: “usr/local¢bin¢perl5.12.3 — found 


Figure 2. Apache Installation Procedure begins 


* mod_rewrite — Provides a rule-based rewriting engine 

to rewrite requested URLs on the fly 

mod_setenvif — Allows the setting of environment 

variables based on characteristics of the request 

* mod so — Loading of executable code and modules 
into the server at start-up or restart time 

* mod_ speling — Attempts to correct mistaken URLs that 
users might have entered by ignoring capitalization 
and by allowing up to one misspelling 

* mod ssl — Strong cryptography using the Secure 
Sockets Layer (SSL) and Transport Layer Security 
(TLS) protocols 

* mod_status — Provides information on server activity 
and performance 

* mod _suexec — Allows CGI scripts to run as a specified 
user and Group 

* mod unique ia — Provides an environment variable 
with a unique identifier for each request 


Options for m4 1.4.16,1 


Ise lLibsigsegy for better diagnostics 


Figure 3. One of the many prompts you will get 


Lompressing manual pages for 


Reqistering installation for 

-leaning for autocon!f-?.66 
leaning fo libtool! 

leaning fr >xpat—-2.1 
leaning fo 

leaning re-t a: 

biconv-1.13.1 
m4-1.4.16,1 

- help2man-1.486.4 

: nO 


ieaning ir gmMmanke 


-leaning Oo 1) 
leaning to 
‘leaning 
leaning or autocont-wrapper—Z61 
leaning fo SOS oY tea 
-leaning | 
-leaning fo 
leaning for « 
leaning fo 


ieaning tf 


leaning fi automake-wrapper-76181119 
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leaning 


Figure 4. Apache Installation Procedure Ends 
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logging of user activity on a site 
* mod version — Version 
dependent configuration 

* mod vhost alias — Provides for 


dynamically confi-gured mass virtual hosting 
More info for modules can be found in apache website 
http://httpd.apache.org/docs/2.0/mod/ 

Then click tab to go to OK Button and click enter to 
continue (Figure 2). In the next screens that will appear 
(Figure 3) accept default values and click ok to continue 
installation when the installation finish you will se the 
Figure 4. 

To make apache start at boot time edit /etc/rc.cont and 
add this line 


#echo ‘apache22 enable="YES”"'’ >> /etc/rc.conf 
starting apache 

#/usr/local/etc/rc.d/apache22 start 

Disable Directory indexing. Change 

Options Indexes FollowSymLinks 

To 

Options All -Indexes FollowSymLinks MultiViews 
To check if module moa security is loaded 


#apachectl -t -D DUMP MODULES 


Options for phps 5.3.6 1 


C4 Build CLI version 
Gri Build CGI version 
Bs. Buiid FEM version (#xperimental) 
'‘PACHE Build Apache module 
P2PILIEP Use Apache 2.2 filter interface (experimental) 
EUG Enable debug 
i SHOSOM Fnaébl@® Sunhdosif Protection syacen 
Moo Enable zend multibyte support 
PVE Enable ipvé support 
| AL OHEAD 


Figure 5. Configuring php 
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You should see in the list 


unique 1d module (shared) 


security2 module (shared) 


Note 
If you get warning 

[warn] (2)No such file or directory: Failed to enable the 
httpready Accept Filter 

add the following line Into /boot/loader.conf: 


echo ‘accf http load="YES”’ >> /boot/loader.conf 
and restart system to load it. 
Installing php 


# cd /usr/ports/lang/php5 


# make config 
Check build apache module and click ok (Figure 5). 
# make install clean 
Check in /usr/local/etc/apache22 /httpd.conf If there is line 
LoadModule php5 module libexec/apache22/libphp5.so 
Also modify this line 
<IfModule dir module> 
DirectoryIndex index.html 
</IfModule> 


With this line 


<IfModule dir module> 
DirectoryIndex index.php index.htm index.html 


</IfModule> 


oe a 


clog 


pentl support (CLI only) 

PDFlib support (implies GD) 

PHP Data Objects Interface (PDO) 
PDO sqlite driver 

PostgreSQL database support 
POSIX-like functions 

pspell support 

readline support (CLI only) 
recode support 


Succ oeCHBneass 


| Hane 


concen 
Figure 6. Choosing php extentions 
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And also add this line inside nttpa.cont 


<IfModule phps module> 

AddType application/x-httpd-php .php 

AddType application/x-httpd-php-source .phps 
</IfModule> 


Create php.ini config 


#mv /usr/local/etc /php.ini-production /usr/local/etc / 
php.an1 


Now we will install php extention need for some cms like 
joomla 


#cd /usr/ports/lang/php5-extensions 


#make config 


In the screen appears we choose except the defaults 
values also bz2, curl, exif, ftp, mysql, odf, pdf, session, 
gd, mcrypt, zip, zlib (Figure 6). Click ok. 

Then start installation 


#make install clean 


And then click ok to continue installation. After installation 
finish restart apache 


SS) 
~ 
yeome, Bees, \ 
| D } | D j 
: all : 
(Somes " 7 


System FreeBSD localhost my.domain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: FriFeb 18 
02:24:46 UTC 2011 root@almeids.cse. buffalo.eduvusriobjusrisre’sys/GENERIC i386 

Aug 9 2011 22:47:48 

Configure ‘Jconfigure’ r ‘-with-config-file-scan- 
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Options for mysql-server 3.5.14 


PENSSI art 
[] © Replace mutexes with spinlocks 


Figure 8. Configuring mysql Server 


#/usr/local/etc/rc.d/apache22 restart 


Create a test page to see if php is working. The best is 
USING phpinfo () function 


#mv /usr/local/www/apache22/data/index.html /usr/local 
/www/apache22/data/itworks.html 


#echo ,<? phpinfo(); ?>” >> /usr/local/www/apache22/data/ 


index.php 
And test your website in web browser 
http://your domain name or your ip/ 
you should see a page like this see Figure /. 
Installing mysql 


#cd /usr/ports/databases/mysql55-server 


#make install clean 


In the screen appears below keep default config and 
click ok (Figure 8). 
Enable mysq] server start at booting 


#echo ‘mysql enable="YES”' >> /etc/rc.conf 
Start mysql server 
#/usr/local/etc/rc.d/mysgl-server start 


Because mysql server by default is listening in all ip 
interface this is not secure. We want mysql server listen 
only on localhost because we are going to use the server 
for websites. So we need to add also in rc.cont bind- 
address. The command is 


#echo ‘mysql args="--bind-address=127.0.0.1”" >> /etc/ 


ro, cont 
And the we restart mysql to get the new settings 
#/usr/local/etc/rc.d/mysgql-server restart 


lf you want to manage mysql server instead of the 
command line you can install phpmyadmin. Is a nice web 
frontend that you can easily manage your databases. 
Installation procedure is as follow Listing 1. 
For security reasons we rename the default name of 
phpmyadmin folder and we add a random string like in the 
end like 5485 


#mv phpMyAdmin-3.4.3.2-all-languages/ phpmyadmin 54td85 
Now cd to directory 


#cd /usr/local/www/apache22/data/phpmyadmin 54td85 


#mv config.sample.inc.php config.inc.php 
open config.inc.php 
#vi config.inc.php 


And find line 


. ~ * ~ . re 


Figure 10. Nestat showing that mysq] is listen to localhost and is more secure 
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Listing 1. Download and untar phpmyadmin, Mysql web frontend 


#cd /usr/local/www/apache22/data/ 


languages.tar.gzZ 


#wget http://sourceforge.net/projects/phpmyadmin/files%2FphpMyAdmin%2F3.4.3.2%2FphpMyAdmin-3.4.3.2-all- 


#tar -zxvf filesé2FphpMyAdmin%2F3.4.3.2%2FphpMyAdmin-3.4.3.2-all-languages.tar.gz && rm -rf files%2FphpMyAdmin%2F3.4.3 
12 eZ Pon OMY Admin—-3524,5.2-all—languages tar.gz 


phpMyAdmin 


Welcome to phpMyAdmin 


Language 
English | 
Log in » 

Username: 

Password: 


Figure 11. Phomyadmin web frontend 


Options for ap2Zég-mod_ security 2.5.13 


aAnquage supper 


[]™ Sudid MedSecuricy Leg Collector 


Figure 12. Configure mod security screen before installation 


Scfg[ ‘Servers’ ] [$i] [‘AllowNoPassword’] = false; 
And replace it with 
Scfg[ ‘Servers’ ] [$i] [‘AllowNoPassword’] = true; 


lf the procedure is correct when you go to your browser 
and type the url 


http://your domain name or your ip/phpmyadmin 54td85 


you will see a picture like the one Figure 11. 

If you see this page login to the system as root 
without password and then go to privileges and change 
all users password using Edit Privileges Password. You 
can use the same password for user root. But don't 
use the same password for other users you will create 
here. 


Note 
To increase security to this folder you can use apache 
htaccess to allow certain ips to access this folder. 


Installing modsecurity 
First we install LUA 


#cd /usr/ports/lang/lua 


#make install clean 
and then mod security 


#cd /usr/ports/www/mod_ security 


#make install clean 


Figure 13. Mod security installation finish 
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Figure 14. Apache httpd.conf with line for enable mod security 
check Embedded Lua language support and click ok 
(Figure 12). Process start (Figure 13). 

When installation finish we have to enable module 
unique id (if is not already enabled) in apache config and 
then mod security 


#cd /usr/local/etc/apache22 
#vi httpd.conf 


Below line 


LoadModule unique id module libexec/apache22 


/mod_unique _id.so 
we add 


LoadFile /usr/local/lib/libxml2.so 
LoadFile /usr/local/lib/liblua-5.1.s0 
LoadModule security2 module libexec/apache22 


j/mod. SSCurity2. 50 
Restart apache 


#/usr/local/etc/rc.d/apache22 restart 


Configure modsecurity 
Change line 


<IfModule security2 module> 
Include etc/apache22/Includes/mod_ security2/*.conf 
</IfModule> 


To 


<IfModule security2 module> 
Include etc/apache22/Includes/mod_security2/*.conf 
Include etc/apache22/Includes/mod security2 
/pase rules/*.conf 
Include etc/apache22/Includes/mod_ security2/as1/*.conf 
</IfModule> 


Now modsecurity config and rules files are in /usr/1ocal/ 


etc/apache22/Includes/mod security2 
#cd /usr/local/etc/apache22/Includes/mod_security2 


Create a file name modsecurity _ rs 10. -coniigscons 
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Listing 2. Modifying modsecurity_crs_10_config.conf to make 
mod security function 


SecComponentSignature "core ruleset/2.0.10" 


SecRuleEngine On 


SecAuditEngine On 


SecAuditEngine RelevantOnly 
#SecAuditLogRelevantStatus "*(?:5|4(?!04))" 
#SecAuditLogType Serial 

SecAuditLog /var/log/modsecurity audit.log 


SecDebugLogLevel 4 
SecDebugLog /var/log/modsecurity debug.log 


SecReguestBodyAccess On 

SecResponseBodyAccess On 

SecResponseBodyMimeType (null) text/html text/plain 
text/xml 

SecResponseBodyLimit 524288 


# Server masking is optional 


SecServerSignature "Microsoft-IIS/0.0" 


SecDataDir /tmp 


# Configures the directory where temporary files will be 
created. 


SecTmpDir /tmp 


# TODO Change the temporary folder setting to a path 
where only 

# the web server has access. 

# 

SecUploadDir /tmp 


# Whether or not to keep the stored files. 

# 

# In most cases you don't want to keep the uploaded 
files (especially 

# when there is a lot of them). It may be useful to 
change the setting 

# to "RelevantOnly", in which case the files uploaded 
ees iS One @uS 

# requests will be stored. 

# 

SecUploadKeepFiles Off 


SecDefaultAction "phase:2,deny,status:501,log" 
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#touch modsecurity crs 10 config.conf 


now we have to edit this file. Open it with your favourite 
editor e.x vi or pico 


#vi modsecurity crs 10 config.conf 


and add the lines (Listing 2). If you don’t have wget install it 
from ports because we will need it to download tar.gz files 


#cd /usr/ports/ftp/wget 


#make install clean 
Download ASL rules (Listing 3) or just create a simulink 


#cd /etc 
#1n -s /usr/local/etc/apache22/Includes/mod_security2/asl/ asl 


We also zero domain-spam-whitelist.conf file because of 
an error in modsecurity 
# cat /dev/null > /usr/local/etc/apache22/Includes 


/mod_security2/ domain-spam-whitelist.conf 
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Figure 15. Joomla 1.7 CMS Frontend 


Now lets configure some false positive entries of 
modsecurity to make our server functionable (see Listing 


4). 


Restart apache to take configurations 


#/usr/local/etc/rc.d/apache22 restart 


Listing 3. Downloading and Installing atomicorp mod security rules 


#wget 


Now we modify asl rules to find our path: 


#cd /usr/local/etc/apache22/Includes/mod security2/asl 


Listing 4. Configuring mod security exclusions 


Fed wy list) TOCA Cue apacner 7/7 WmeliGes, Od pseeuniTy 77 acl 
#cat > 99 asi exciude.conf << EOF 

<Directory /usr/local/www/apache22/data/> 
SecRuleRemoveByID 960032 

SecRuleRemoveByID 960034 

SecRuleRemoveByID 960010 


</Directory> 


<Location /phpmyadmin 5485> 
SecRuleRemoveByID 950001 
SecRuleRemoveByID 959013 
SecRuleRemoveByID 959009 
SecRuleRemoveByID 959904 


</ lOocak ron> 


HOE 


http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz 
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Listing 5. Download and untar Joomal 1.7 CMS 


#cd /usr/local/www/apache22/data 


ftaie =2<ViG JOCm amin] U—oeaD lem Ie Package yan. 2 


#wget http://joomlacode.org/gf/download/frsrelease/15278/66554/Joomla 1.7.0-Stable-Full Package.tar.gz 


Listing 6. Testing mod security in Joomla 1.7 CMS using an sql injection 


http://your domain name or your ip/index.php?action=&type=viewés=&id=-1'S20union%S20select%200, concat (char (85),char(1 
iM ciar (loi, char (ll) char Gn char (Oy) chart) ehan( 0) char (So), name, char(37)), char (74). 
Chiaw Chay Clici (37) Click (a0 yee ier (Oma clreia (bike ie Chiat (iia Clie (Ilo elven eve (IR ec nee (LO) 
pebat (538); Pace), 0) 0, ly 0, 0 -20ncom «70 plipdesik sadmimy ™ 


Note 

In order to make your websites function correctly you have 
to monitor log files for false positive alerts and disable or 
fix this alerts. You can monitor alerts with command 


# tail -f£ /var/log/modsecurity audit.log | grep id 


Also if your hardware is old is good to delete some rules 
or your apache web server will be slow. Example you 
can delete this files from /usr/local/etc/apache22/Includes/ 


mod security2/asl directory 10 asl antimalware.cont 


10.asl_antimalware output.cont 
lL asl data 1oss.cont 

20 asl usernagents.cont 

30 asl antimalware.conf 


30 asl antispam.cont 


30. asl atitispam- referrer .cont 


Method Not Implemented 


GET to ‘index.php not supported. 


Figure 16. Error message after sql injection 


or whatever you think is not necessary for your website 
protection. 


Testing 

Now lets test modsecurity if it is working. In order to test 
it in real website | am going to install joomla 1.7, a very 
popular opensource CMS. Installing Joomla CMS (Listing 
5). Open web browser and type 


http://your domain name or your ip/ 


it should open joomla installation follow on screen 
procedure and finish joomla installation if the dir is 
not writable by apache in the end it will not create 
configuration.php file. To do it manually 


#touch /usr/local/www/apache22/data/configuration.php 
#vi /usr/local/www/apache22/data/configuration.php 


copy from web browser the configuration file and add 


them to configuration.php also click the remove installation 
folder. If it not succeded remove from command line 


#rm —rf /usr/local/www/apache22/data/installation 


Figure 17. mod serurity audit log entry after the sql injection 
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File Edit View Bookmarks Settinc 


YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab 


Vulnerability Entries: 466 
Last update; August 18, 2009 


heck 1e¢ 


se "update" option to update the database 
"check" option to check 


Target; http; //192.168.10.104/index.php 


[x] Unable to process any more. I get - S01 Method Not Implemented 


[*] Time Taken: 1 min and 10 sec 
[*] Send bugs, suggestions, contributions to joomscan@yehg.net 


Figure 18. Backtrack joomscan penetration testing utility 
lf everything is working you will see the picture below if 
you open your web browser and type 


or another exploit you can test is Listing 6. 

lf everything is working you will see (Figure 16). And in 
log file you will see the deny rule (Figure 17). 

Also if you try scanning the server for security 
vulnerabilities using joomscan (can be downloaded 
from here http:/sourceforge.net/projectsjoomscan/ or 
inside the backtrack dvd) it will return error that it can not 
process website (Figure 18). 
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MySQL Unleashed! 


We explore some tips and tricks that you can use to gain 


better performance with MySQL 


What you will learn... 
- How to fine tune and optimize MySQL databases for best 
performance. 


our database table seems to be well-indexed and 
IY erersrc yet a simple query on it takes ages 
to complete. Or may be web apps look good in 
the dev environment, but become equally bad in the 
production environment. 
lf you are a database admin, chances are that you have 
already encountered above situations at some stage or 
the other. Therefore, in this article, we shall be looking at 
debugging, myth-busting and handling certain common 
(and uncommon) MySQL issues. In this first part, we 
begin with certain simple and easily implementable tips 
and tricks. 


Storage Engine Woes 

lf your table uses transactions, you should consider using 
InnoDB as it comes with full ACID compliance. However, 
if you do not require transactions, it would be wiser to stick 
to MylSAM, the default storage engine. 

Also, do not try to sail on two boats, er...sorry, storage 
engines. Consider this: in a transaction, some tables use 
InnoDB while the rest are on MyISAM. The outcome? 
The entire subject will be nullified, with only the ones in 
the transaction being brought back to original state, the 
rest dumped with committed data. Needless to say, this 
will lead to inconsistency across the database. However, 
there exists a simple way to enjoy both the flavours! 
Most MySQL distributions nowadays include InnoDB, 
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What you should know... 
¢ Working with MySQL, database administration. 


compiled and linked! But if you opt for MyISAM, you can 
still download InnoDB separately, and use it as a plugin! 
Simple, eh? 


Counting Issues 

lf your table employs a storage engine that supports 
transactions (such as InnoDB), you shouldn't use count (*) 
to find out the total number of rows in the table. The 
reason being that using counr(*) On a production class 
database will at the very most return an approximate 
value, as at any given time, some transactions will be 
running. Such incorrect result from count (*) will obviously 
generate bugs if put to use. 

The default storage engine for MySQL is MylSAM, 
which does not support transactions. However, engines 
such as InnoDB are favored over MylSAM as the latter 
has a (notorious) distinction of not being the best fault 
tolerant storage engine. This, in fact, beats the myth 
that MySQL is faster than PostgreSQL. count *) returns 
the results quickly in MySQL only when operating 
under MylSAM. If the storage engine is changed to 
InnoDB, counr(*) takes the same amount of time as 
PostgreSQL. 


Test, Test, Test 


The major headache with queries is not the fact that 
no matter how careful one is, something or the other is 
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bound to be left out and cause a bug later on. Rather, the 
problem is the timing at which the bug surfaces, which 
in most cases is after the application/database has gone 
live. There really exists no sure-shot strategy to counter 
it, except for the test samples that you must run on your 
application/database. Any database query cannot be 
approved unless it is subjected to chunks of thousands of 
record samples. 


Countering Table Scans 

More often than not, if MySQL (or any relational database 
model) has to search or scan for any particular record in 
a table, a full table scan is used. Again, more often than 
not, the easiest cure here is to use index tables to solve 
the problem as full table scans result in poor performance. 
However, as we shall see in subsequent issues, this does 
not come without its share of fallacies. 


Using Explain 
EXPLAIN is an excellent command when it comes to 
debugging, so let us explore it in depth. 

First, let us create a sample table: 


CREATE TABLE “awesome bsd’ ( 
‘emp id’ INT(10) NOT NULL 

DEFAULT °0" 
‘full na me’ VARCHAR(100) NOT NULL , 
‘email id’ VARCHAR(100) NOT NULL , 
‘password’ VARCHAR(50) NOT NULL , 
‘deleted’ TINYINT(4) NOT NULL , 
PRIMARY KEY (‘emp id’) 

) 

COLLATE = %ULre general ii! 

ENGINE = InnoDB 

ROW FORMAT = DEFAULT 


The table is self-explanatory, with five columns, the last 
‘deleted’ being a Boolean flag to check if an account is 
active or has been deleted. Next, you may populate this 
table with sample records (say, 100 employee records). 
As you can see, the Primary Key lies On ‘emp _ ia: 

So, using the email address and password fields, we 
can easily create a query to validate or deny a login 
attempt, as follows: 


SELECT COUNT (*) FROM awesome bsd WHERE 

email id= “blahblah’ AND password = ‘blahblah’ 

AND deleted = 0 

Oops! I’ve already told you to avoid using counr(*). Let 


me rectify: 
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SELECT emp id FROM awesome bsd WHERE 
email id = ‘blahblah’ AND password = ‘blahblah’ 
AND deleted = 0 


Now, let us introspect. In the first instance, we queried 
to locate and return the number of rows where email id 
and password were equal to the given values. In the 
second case, we did the same but instead decided to 
ask the value of emp _ ia for all the rows that satisfied the 
given criterion. What'd you say? Which query is the more 
expensive? 

Apparently, both of them are equally expensive 
database killing queries because unintentionally, we are 
querying for a full table scan in each case. To understand 
better, execute this: 


EXPLAIN SELECT emp id FROM awesome bsd WHERE 
email id = ‘blahblah’ AND password = ‘blahblah’ 
AND deleted = 0 


In the output, concentrate on the second-last column, 
rows. Assuming that we had populated the table with 
100 records, it will show 100 in the first row, which is the 
number of rows that MySQL needs to scan in order to 
evaluate the result of this query. What does this show? 
Yes, a full table scan (read: memory hog). 

To overcome this evil, we need to add indexes. 


Indexes 

First things first: its a bad idea to create indexes to every 
second problem that you might encounter. Excessive 
indexing leads to slower performances and resource hog. 
Before going any further, let us create a sample index on 
our example: 


ALTER TABLE ‘awesome bsd’ ADD 
INDEX ‘LoginValidate’ (‘email id’) 


Next, run the query again: 


EXPLAIN SELECT emp id FROM awesome bsd WHERE 
email id = ‘blahblah’ AND password = ‘blahblah’ 
AND deleted = 0 


Now notice the value. Instead of 100, it should now say 1. 
Thus, MySQL is now scanning only 1 row in order to give 
you the output of this query, thanks to the earlier created 
index. You might notice, the index created is only for the 
email address field while the query searches for other 
fields too. This shows that MySQL first performs a cros- 
check to see if any of the values specified in the WHERE 
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clause has indexes defined for it, and if so, performs 
accordingly. However, it isnt that every iteration will 
be reduced to one. If, for instance, the indexed field is 
not unique (Such as employee names, which can have 
identical values in two rows), there will be multiple 
records left even after indexing. Yet, it will still be better 
off than full table scan. 

Also, the order of columns specified in the WHERE 
clause does not play a role in the process. If, for instance, 
in the above query, you reverse the order of fields such 
that email address comes last, MySQL will still iterate on 
the basis of the indexed column. 

Now, with indexing at your finger tips, you've noticed 
how to avoid numerous full table scans and gain better 
results. Lets proceed further. 


Full Table Scans Can Strike Back, Too 

First up, coming to common MySQL errors or issues that 
are often ignored. Lets create a table along the lines of the 
following sample (this sample table has few flaws in it, as 
we shall see later on): 


CREATE TABLE ‘awesome table’ ( 
‘awe a’ INT(10) NOT NULL AUTO INCREMENT, 
awe date’ DATE NOT NULL, 
PRIMARY KEY (‘awe a’), 
INDEX ‘awe date’ 
) 


(‘awe date’ ) 


Additionally, you may _ suffix the following to the 
above table too (it depends on the environment you 
have at your disposal, though the following code is a 
recommended addition, if possible): 


COMLATE. =. “Gtr general cx! 
ROW FORMAT = DEFAULT 


Populate the table with some sample records (say, 10 
records). The Primary Key lies with the awe a column, 
while the awe date Column is indexed as well. So, simply 
because indexing is on for awe date column, we can 
assume that any queries done on the column will not run 
unoptimised, right? Apparently, not! Run the following 
sample query: 


EXPLAIN SELECT * FROM awesome table 
WHERE awe date < ‘1980’ 


What did you get? Correct! It runs a full table scan, 


yet again, in spite of the index placed on the awe date 
column. Now, let us modify the above query slightly: 
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EXPLAIN SELECT * FROM awesome table 
WHERE we: date -< *1980"=01-02" 


What did you see now? It no longer performs a full 
table scan, but instead, shows the scan type aS range 
rather than index. The outcome? Faster processing! 
As you must have noticed, in the first query, ‘1980’ is 
an ambiguous parameter but in the second query the 
entire date eliminates the possibility of a scan type such 
as ALL. 

Another common scenario wherein an otherwise-not- 
required full table scan is called upon is one comprising 
of UCASE and LCASE. More often than not, applications 
perform case-insensitive searches. For example: 


EXPLAIN SELECT * FROM table-name 
WHERE UCASE (column-name) = ‘THIS IS SO WONDERFUL’ ; 

In such searches, MySQL will ignore the indexes, 
convert the values held by the specified column in each 
row to ucasz and then perform the search for the given 
sample text. The easiest way out of such a situation 
is to store either ucasz or tcasz values (the requisite 
case conversion should ideally be performed when the 
record is inserted in the table). Following that, the case 
of the value under consideration can be automatically 
compared, as shown in the query below: 


EXPLAIN SELECT * FROM table-name 
WHERE column-name = UCASE (‘this is so wonderful’) ; 

This shall compel MySQL to convert the given value into 
ucase in order to match a rule that allows for storage of 
only ucasz values in the given column. 


The Myisam Storage Engine - a Closer Look 
As we covered earlier, MylISAM is MySQL’s default 
storage engine. Now we shall take a closer look at it. 

MylISAM by default stores a table in two files (one for 
the data, the other for indexes). For the data file, the 
extension is .MYD while for the index file, the extension 
is .MYI. You can also use the DATA DIRECTORY and 
INDEX DIRECTORY options along with the CREATE 
TABLE command to specify the location of each 
file of the given table. Since these files are platform 
independent, most databases support specifying of the 
directories. 

Also, all readers having SELECT associated with 
queries need to obtain read locks and multiple users 
can do the same by means of shared locks. However, 
on the contrary, all writers need to have exclusive locks. 
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Thus, while two users can acquire read locks (SELECT) 
at the same time, they cannot perform write operations 
(INSERT, UPDATE or DELETE, etc.) simultaneously. 
This is the precise reason why indexing is crucial and 
needless to say, if you fail to handle your indexes well, 
write operations will become slow and time consuming 
resulting in heavy load on the system. 

MyISAM supports Full Text Index (also known as Full 
Text Search) but doesn’t yet support transactions. Table 
locks are a possibility, but row locks are not. Further more, 
MylISAM supports compressed tables too (read only). 
However, it must be noted that only individual rows are 
compressed and not the entire table as a whole. 

MyISAM also has the advantage of specifying NULL 
values even in indexed fields, as well as providing a different 
character set for each CHAR or VARCHAR column type. 


MylISAM and B-TREE - Spicing Up Your Indexes! 
In a MyISAM powered table, the type of each index is B- 
tree. So before going any further, let us analyze what a 
B-tree is, and to do so, we shall turn to Wikipedia (http:// 
en.wikipedia.org/wiki/B-tree): 

“.. @ B-tree is a tree data structure that keeps data sorted 
and allows searches, sequential access, insertions, and 
deletions in logarithmic amortized time. The B-tree is a 
generalization of a binary search tree in that a node can 
have more than two children. ...Unlike self-balancing binary 
search trees, the B-tree is optimized for systems that read and 
write large blocks of data. It is commonly used in databases 
and filesystems.” 


With the introduction out of the way, we now turn our 
attention once again to MyISAM and B-tree, with special 
focus on indexes. First, we can briefly sum up the 
theoretical aspect of the issue. 

It can be said that the B-tree index has a root node on the 
top (since it is a tree, it has to have a root). In B-tree, any 
node that doesn’t have a child attached to it is called a leaf 
node. Therefore, the root node is a non-leaf node while all 
the nodes that spring from it are called leaf nodes. The links 
between a node and Its immediate children can be shown as 
pointers. Do not confuse the pointers to be C/C++ pointers. 

Going below the leaf nodes (ones without children nodes), 
you'll find the actual table data. The data is linked to the leaf 
nodes on the basis of key values. Thus, it becomes quite 
obvious that effective and speedy searches depend on how 
the key values associate the data to the leaf nodes, or, in 
simple terms, how effectively a table is indexed. 

At this junction, we can also tear apart the myth that 
MyISAM supports clustered indexes. Truth is, MyISAM 
does not store data in a sorted fashion, whereas for a 
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clustered index to work, data must be sorted. MylSAM, 
on the other hand, stores data as and when it is inserted 
into the table. It does sort the indexes, but as we have 
already covered, indexes are stored in a separate file 
(.MYI) than data itself (.MYD). MyISAM uses indexes 
to point to the exact location of unsorted data and as 
a result, removes the need of data storage in a sorted 
manner. Bottom line is that clustered indexes are not 
possible on MylSAM. 

The most obvious benefit of employing a B-tree is that it 
considerably improves the search functionality (SELECT 
queries). However, on the down side, queries such as 
INSERT and DELETE tend to become slower as each 
time a record is either inserted or deleted, the indexes 
located in .MYI file also need to be modified. The cure in 
such a case is to index selectively. 

Index selectivity implies the difference in values stored 
or recorded in the columns of a table. Selectivity is 
measured on a scale of O or 1, wherein 1 implies that 
each value in the selected column is unrove. Generally, 
selectivity of 1 occurs with columns that are unrove or 
primary KEY, though this isn’t always the case and it varies 
with the nature of values stored in the given columns. 
For the sake of simplicity, we can stick to the following 
formula: 


SELECTIVITY = NO. OF DISTINCT RECORDS/TOTAL NO. OF RECORDS 


The above formula is a stripped down and simplified 
version for the purpose of understanding. If you so 
desire, you can use the alternate way to calculate 
selectivity by employing a production class database and 
finding the number of DISTINCT rows in it. Bear in mind 
though, that the number of DISTINCT values in a column 
may or may not always work perfectly. 

Higher selectivity means the operations shall be 
of shorter duration and vice-versa. As a result, lower 


selectivity is termed as an expensive operation while 
higher selectivity is an inexpensive operation. 

Finally, coming back to the sample table that we created 
at the start of the article. The awe a column is a PRIMARY 
KEY, and will thus have a selectivity of 1. the awe date 
column is indexed as well, so lets focus on it. Quite 
obviously, all dates cannot be distinct or untove and this 
column is bound to have a low selectivity. In such a case, 
it will not Serve as a good index and as a result, in spite 
of indexing the column, we got a full table scan in the first 
query that we ran earlier. 

Before performing a query, MySQL calculates the cost 
of the different ways in which the query can be performed 
and then picks the cheapest or most effective way. So 
if a low selectivity column is used for an index, it will 
overload the system. To avoid such overloading, MySQL 
may choose not to use your index if the selectivity is low. 
This is precisely the reason why even after using multiple 
indexes, your queries may still result in full table scans 
(read: slower outputs) and burden the system resources. 
In simple terms, the entire input and output process 
depends on the appropriateness of the indexing and 
querying. Hence, it becomes vital that indexes are used 
judiciously and selectively. 

In this article, we covered the myths and overlooked or 
relatively lesser known details about MySQL indexes, as 
well as the functioning of the MylSAM storage engine. | 
hope you enjoyed reading it. Happy querying! 
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f@ Deen added to the GUI, and replication has been 
ioved for increased data integrity. 
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Terminal Descriptions 


for OpenBSD AMD/Intel consoles 


In this article | would like to describe the results of my work 
of tuning OpenBSD consoles for AMD/Intel PCs. These 
results are also applicable to computers with the same 
hardware architecture (amd64 or i386, see http:// 
www.openbsd.org/plat.html): servers, workstations, 
notebooks, etc. 


What you will learn... What you should know... 

¢ important facts about ASCII terminals ¢ what is OpenBSD 

« how to tune OpenBSD AMD/Intel consoles for comfortable work + howtoinstall OpenBSD operating system 
with mail and Midnight Commander « how to use OpenBSD packages and ports 


and really did not have good support of navigation time and cause much inconveniences if you often work at 
and function keys of a typical PC keyboard. Also | console (not in a graphical environment). 
had some problems with colors/attributes (maybe they 


often worked on OpenBSD AMD/Intel PC consoles were videoadapter dependent). These issues exist long 


Listing 1. Cyrillic support for AMD/Intel consoles 


# cat /etc/kbdtype 
ru 


Pilea (ele, re. local 


noe || = / Wise) Sled WSCOMSOlCG =e x /ilisic/ Sloiiny WSinowiel@ecre, |; uae 


just shim weroutiead hy No.7 Wer) shane, mise, Ocvt tontc/ kos or ex kG 


for CONSOLE, am 2 3 “do 
jus«/ sbilm/wsconscrg =a —H .| CONSOLE 
just/sbim/ wecouseho. —t 60x72 5br ——e vi lOO Ss TCONSOhmy 


done 


/sbin/wsconsctl -w keyboard.mapt="keycode 184 = Mode Lock" >/dev/null 


BSD 09/2011 


34 


Terminal descriptions for OpenBSD AMD/Intel consoles 


Listing 2. Terminal descriptions patch for AMD/Intel consoles 


Apply this patch by doing: 
Cada Usty crc 


Patch —pU <OpenBeb re consolle- catch 


And then rebuild and install the terminal description 
databases: 
cd share/termtypes 
make obj 
make cleandir 
make depend 
make 


make install 


After that you can use these emulations for AMD/Intel PC 
consoles: 

= Pccond—m 

= oecond 

= oOceconam 


= Deco 


Also you can replace default "vt220" to "pccon" in /etc/ 
EES 


for “console” 6 “ELyC~™ entries. 


--- ./share/termtypes/termtypes.master.orig Mon 


NO V2 ee oo Oe 200) 


+++ ./share/termtypes/termtypes.master Sun Aug 14 18:33: 


SE ACL 
@@ —-1649,6 41649,55 Ge 
gansi-w|QNX ansi for windows, 


xvpa, use=gansi-m, 


+#### OpenBSD consoles 


+# 

+# From: Alexei Malinin <Alexei.Malinin@mail.ru>; July, 
eae 

+# 


+# The following terminal descriptions for the AMD/ 
Intel PC console 

+# were prepared based on information contained in the 
OpenBSD-4.9 

+# termtypes.master and wscons(4) & vga(4) manuals 
(2010, November). 

i 

+pccont+keys|OpenBSD PC keyboard keys, 

= dose ieeiianc, clic", Keploll=Ve (0, iKeme l= is) eh 


kcuf1=\E[C, 

+ keuul=\E/A, kdchl=\E[3~, kend=\E[8~, kent=*M, kfl=\E[1ll1~, 

+ KpnO= VR kid E235) kel 2=\ E24 ke 2, 

+ kf3=\E[13~, kf4=\E[14~, kf5=\E[15~, kf6=\E[17~, kf7=\E[18~, 

+ kf8=\E[19~, kf9=\E[20~, khome=\E[7~, kichl=\E[2~, 

+ knp=\E[6~, kpp=\E[5~, krfr=*R, kspd=*Z, 

Foccontacs0 (simple ASCII pseudographics for OpenBsD: PC 
console, 

i ACSC — > <= VF tas ke tO -d= ro 
ttutviwtx!|!}#~o, 

+pccontacs|default ASCII pseudographics for OpenBSD PC 
console, 

teeaese—t. =. 200) “aatroghhni iii kkiimninntcoopegqnu assured 
VVWWKKXYVV2S11 ||} } <>, 

FpeconT colors (ANSI colors for OpenboD PC console, 


+ bce, 


+ op=\E[m$<2>, setab=\E[4%p1%dm$<2>, 

+ Setatr—\E i s32picdms<2->, 

+pccontbase|base capabilities for OpenBSD PC console, 
an, <M, Mest, NOC, Mxon,. Xenia xen, 

cols#80, it#8, lines#24, 

bel=*G, 
cup=\E[%i%p1%d; %p2%dHS<5>, ed=\E[JS<50>, el=\E[KS$<3>, 
ell=\ El iKS<3>) “enacs— EB E)0, home—\E lHe<s>, mt—i1, 


ellearc— Hi | Z0so<50>) scr i 


inod— J, mel—\EES<2-)  fey— 5 ims<2>,) rl— BMo<5>, “macs— ©, 
maiio= VL <2s- ses V—\ eS <a 0 - 

sgr=\E [m$<2>%?%p1%p3% | St \E [7m$<2>%; $?Sp9St\016%e\017%;, 
sgr0=\E[m$<2>\017, smacs=*N, smso=\E[7m$<2>, 


+ oF Ft Ft +H + +t + + 


Fpoecon0-m|OpenBsD PG console waithour collors & with 
Simple ASCII pseudographics, 
+  use=pccontbase, 
+ use=pccontacs0, 
+ use=pccontkeys, 
+pccon0|OpenBSD PC console with simple ASCII pseudographics, 
+  use=pccon0-m, 
+ use=pccontcolors, 
+pccon-m|OpenBSD PC console without colors, 
+ use=pccontbase, 
+ use=pccontacs, 
+ use=pccontkeys, 
+pccon|OpenBSD PC console, 
+ use=pccon-m, 
+ use=pccontcolors, 
ae 
#### NetBSD consoles 
# 


# pcvt termcap database entries (corresponding to release 3.31) 
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Note 
Commands and options discussed in this article refer to 
the latest version of OpenBSD — 4.9. 

Let us look at my typical work environment: 


¢ anAMD/Intel PC with VGA display, 

¢ PC keyboard (usually 104-key with cyrillic letters), 

¢ vt220 default console terminal type, 

¢ cyrillic support for the 2 and 3 consoles (Céirl+Alt+F3 
and Ctrl+Alt+F4), fragments for configuration files 
(in my /etc Catalog) which differ from defaults are on 
Listing 1. 


Note 
Useful links about OpenBSD cyrillization: 


¢ http://www.obsd.ru/8/?q=node/1172 
¢ http://www.openbsd.ru/docs/howto-cyrillic.html 
¢ http://www.openbsd.org/taq/fag/.html 


The console environment described above is suitable 
for mail and Midnight Commander but not all navigation 
and function keys work as expected, some color/attribute 
issues are annoying. 


Note 

MidnightCommander (htto:/Avww.midnight-commander.org/) 
is a handy full-screen file manager but it is not in 
the base OpenBSD distribution. It can be _ installed 
from packages or _ ports see http:/ 
www.openbsd.org/fag/faq15.html. 

Before delving into details of tuning the console let 
us recall how full-screen applications interact with 
ASCII (or alphanumeric) terminals. These applications 
typically use high-level screen management library. In 
turn this library uses a terminal descriptions database 
for performing high-level screen management 
functions (cursor movement, setting colors, etc). 
The most famous screen management library for 
ASCII terminals is curses which uses one of the two 
terminal descriptions databases: termcap OF terminfo. 
These terminal description databases make curses 
terminal independent, and the terminal independence 
is the foundation of curses. termcap ANd terminfo are 
the mechanisms by which UNIX systems support 
hundreds of varieties of ASCII terminals without the 
need for special drivers for each terminal. Most of the 
capabilities in termcap and terminfo are identical except 
in name. 


(ports/misc/mc), 


Listing 3. Tuning display resolutions for AMD/Intel consoles 


tel <0 isk, soln, wecomsergqs ser < lot, shim, wotomthoad 


and 


Peles Usk, soln, wecomsergusen <1, ict, coin metonthoad 


and 


Tole. < 0 isk, Som, weconscerG sem. < lick, soln, wetomte load 


then 
/use, shiny wetont loads —h se )/ lst, shave, mise /peveronts, Kole—c—exds 


then 
just; som weront lead omy Mi sc, share muse peviromrs, Kors eos 0 


then 
jus«/ sbam/wstout load =m) IG lst, stane/misc, Pevironts, Kole—r—oxlo 


BSD 


MAGAZINE 


36 


09/2011 


Terminal descriptions for OpenBSD AMD/Intel consoles 


Note 
Important 
terminals: 


OpenBSD manual pages about ASCII 


* ttys (5) — terminal initialization information 

* wsconscfg (8) — Configure virtual terminals on a wscons 
display 

* wscons (4) — Console access 

* vga (4)— VGA graphics driver for wscons 

* stty (1) — set the options for a terminal device 
interface 

* tset (1) — terminal initialization 

* tput (1) — terminal capability interface 

* termcap (5) — terminal capability database 

* terminfo (5) — terminal capability database 


So, the problem to be solved is that vt220 terminal type is 
not well suited for the AMD/Intel PC console. 

What could | do?.. In the OpenBSD _ terminal 
descriptions database (I used the text version of 
termcap — /usr/share/misc/termcap) | found descriptions 
for NetBSD, FreeBSD, Linux (and for many others 
operating systems) consoles but nothing suitable for 
the OpenBSD AMD/Intel PC console! So the only 
solution would be to prepare a complete and correct 
terminal description for this console... | read OpenBSD 
manual pages and many others information sources 
that might be relevant to ASCII terminals, curses, vtioo, 
vt220, xterm, ANSI, etc... 


Note 

The best source of information | ever read is the book 
“termcap & terminfo” published by O’Reilly in 1988 (http:// 
oreilly.com/catalog/9780937175224/). 

At last | prepared several terminal descriptions for the 
AMD/Intel PC console. The patch against OpenBSD- 
4.9 sources is on Listing 2. Do not forget to read the 
comments at the beginning of the patch!. 


Note 
This patch can be downloaded from here: http:// 
am1225.narod.ru/software/OpenBSD_PC_console.patch. 


Note 
The OpenBSD FAQ describes how to build the operating 
system from sources: http:/www.openbsd.org/fag/ 
faqgd.html. 

After patching OpenBSD it will be possible to use 
several terminal types for AMD/Intel consoles: 


* pccon IS Suitable for color diplay with 80x25 resolution, 
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* pccon-m IS Suitable for black and white diplay with 
80x25 resolution, 

* pccond IS Suitable for color diplay with 80x40 and 
80x50 resolutions, 

* pccond-m IS Suitable for black and white diplay with 
80x40 and 80x50 resolutions. 


There are no pseudographics for 80x40 and 80x50 
display resolutions, so | prepared separate terminal 
descriptions pccond and pccono-m for these cases. 


Note 
To set up resolutions it is necessary to use the appropriate 
font: 


° /usr/share/misc/pcvtfonts/koi8-r-8x08 for 80x50 resolution, 
° /usr/share/misc/pcvtfonts/koi8-r-8x10 for 80x40 resolution, 
° /usr/share/misc/pcvtfonts/koi8-r-8x16 for 80x25 resolution. 
The appropriate fragments of /etc/rc.iocal are on 
Listing 3. 


Note 
To eliminate some color/attribute issues | usually run 
Midnight Commander as follows: 


# mc -c --colors errdhotnormal=black, lightgray:menuhotsel= 


lightgray,black 


That is all | have to tell about my work. Also | hope 
that the OpenBSD developers will find these terminal 
descriptions helpful and include them into the base 
OpenBSD distribution as the default configuration for the 
AMD/Intel console. 


ALEXEI MALININ 
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network administrator since 1991. He is an OpenBSD fan since 
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Alexei.Malinin@inetcomm.ru 


BSD : 


MAGAZINE 


TIPS AND TRICKS 


(Ab)using VideoLAN 


Learn what you can do with your video and audio using 
powerful VideoLAN command line interface 


Dealing with video and audio data is part of our everyday 
life. Sometimes, though, we need to do things that fall into 
vadvanced” category. What tools should we use then? 


What you will learn... 

« That VideoLAN is a full-featured multimedia framework 

¢ That you can combine VideoLAN’s modules into powerful pipelines 
« How to use VideoLAN in four real-life scenarios 


number of multimedia-related solutions are present 
A: Open-source world right now. Among the most 
popular and ubiquitous are MPlayer and VideoLAN. 

They share a fair amount of the codebase (both use 
ffmpeg), but have somewhat different design. MPlayer is 
famous for having a command line option for everything. It 
has rich functionality and you can enable or disable certain 
features using command line flags. Still, if you need to do 
something that MPlayer developers didn’t expect you to 
need, youre in trouble. 

VideoLAN’s design (at least from user perspective) is 
quite different. It's not just a player — it’s a full-featured 
multimedia framework, like GStreamer or DirectShow. 
Although it has rather simplistic user interface, you have 
a total control over VideoLAN via the command line. You 
can build pipelines of filters and pass them as command 
line arguments. Unlike MPlayer, which can only play (you 
have to use MEncoder to encode data), VideoLAN can do 
any crazy thing you want with your video or audio. 

VideoLAN'’s problem though, is that this incredible 
flexibility isn’t that well documented (though situation is 
improving continuously). Let me share some examples of 
what VideoLAN can do: 


Scenario 1 


My desktop FreeBSD machine is connected to my stereo 
and | use it for music. But it does not have a display, which 
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What you should know... 
« Howto use command line 

¢ Core networking concepts 

¢ Core video/audio concepts 


makes watching movies on it, er... problematic. So what | 
want is to be able to watch the movie on my laptop while 
redirecting the audio to my desktop machine. 

Let's start a VideoLAN that will listen to the UDP socket 
on port 1234 and play everything that it receives. 


vile udo:/ / 


Command that looks like vic {[smtn] tells VideoLAN 
to open something. In this case its a UDP socket. 
VideoLAN uses port number 1234 by default. 

Now what we need is to start playing video on the 
laptop. We don't need any sound there, instead we want 
audio to be streamed to a desktop machine. Also we don't 
want to stream video to desktop machine — all we care 
about there is sound. Let’s try the following command: 


vile some movie.avi --sout="#duplicate{dst=display{noaudio, 
delay=1250},dst=duplicate{dst=std{mux=ts, access=udp, dst= 
192.168.1.42:1234}, select=\"novideo\”}}}}"” 


Here we build a full fledged pipeline. aupiicate module 
dispatches stream to a multitude of nested modules 
(modules’ chains specified with ast). 

display IS a module that, surprisingly enough, displays 
the stream on the current screen. It also plays sound on 
the local audio subsystem. But we disable it with noaudio 
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parameter, as we need only video on the laptop. Also we 
USE delay=1250 — this is the default buffering time used by 
VideoLAN when transmitting and receiving data over the 
network. In order for picture and sound to be in sync, we 
need to delay picture a bit — so that we have enough time 
to buffer sound. 

Second destination point of duplicate module is another 
duplicate module. We need it to specify se1ect=novideo 
option, which will prevent video from being sent to std. 
std stands for standard — it’s a standard sink for the 
data. In this particular case it sends the audio via udp 
to 192.168.1.42:1234. As we need to send a stream in 
some format, we specify mux-ts which means MPEG-TS 
— MPEG container format specifically designed to be used 
in networking environment. 

Now we have eveything settled and you should hear the 
sound coming from the desktop machine and still see a 
perfectly synchronized video on your laptop. 


(a bit weird, but nice for demonstration). | have 2 laptops 
and | want to split the movie between them — I.e. to use 
their screens as one large screen. The laptops should 
stand next to each other, the left one should show the left 
half of the picture and the right one — the right part. 

Not everything in VideoLAN can be tuned in the 
pipeline command line argument (--sout=...). It also has 
a number of general-purpose command line arguments. 
For example — --crop, which tells VideoLAN how to crop a 
picture that is displayed locally. 

Let's assume that our movie's size is 720x304. 

In order to fulfill the scenario, we need VideoLAN running 
as UDP server on one of the laptops. We'll receive the full 
picture here and will have to crop it in order to show only 
the right half. 


vle-udo?/7 ==—crop="’ 309x303731040" 


crop argument tells VideoLAN to use picture of the width 
309 and height 303 with the offset 310x0 pixels from the 
top left corner of the original picture. 

Let’s execute the following on the second laptop: 


vlc some movie.avi --sout="#duplicate{dst=display{delay= 
1250},dst=duplicate{dst=std{mux=ts, access=udp, dst= 
192.168.1.42:1234},select=\"noaudio\"}}"” --crop=' 309x303+0+0' 


Similar to the previous scenario, we display the video 
on local display with a delay of 1250 milliseconds. crop 
argument tells VideoLAN to crop the picture to size 
309x303, which effectively shows us only the left part of 
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the picture. We also stream video stream (without audio 
data) to our UDP server host to display the second half 
of the picture. 

Now, if we run VideoLAN using the commands above on 
2 laptops, we'll see half of the picture on each laptop with 
audio being played only by the second one. 


Scenario 3 

! am not at home and | want to use my laptop to watch 
a DVD movie stored on the hard drive of my desktop 
machine. 

The idea is that you may have a low-bandwidth 
connection that will make raw DVD data streaming 
impossible. Therefore what we need to do is to transcode 
datastream on the fly. It’s really not that hard. Let’s start 
with the VideoLAN on the home machine. 


vie dvd:///home/user/saved/dvd --sout=#transcode{vcodec=h264, 
vb=1024, deinterlace, acodec=mp4a, ab=96, channels=2}: 


std{access=http, mux=asf,dst=10.0.0.1:10005} 


Couple of points here. First, we play DVD that is stored 
on disk — so we use a Special syntax for that. Then, 
we USE --sout argument to build our pipeline. transcode 
module is the VideoLAN’s swiss army knife for all kinds 
of stream transformations. 

Most of the options specified in the example are self- 
explanatory, so let's cover them just briefly: 


¢ vcodec — what video codec to use for transcoding. 
VideoLAN has implementations of practically all 
codecs that exist at this moment. We use h264 as 
one of the most effective. 

e vb — stands for video bitrate. As our bandwidth is 
limited, we limit the bitrate to 1MBit. 

¢ deinterlace — means that we want the picture to be 
deinterlaced prior to transcoding. 

¢ acodec — what audio codec to use. We use mp4a as 
one of the most effective ones. 

¢ ab -— audio bitrate 

¢ channels — number of audio channels in audio 
streams that we want to have. It’s reasonable to 
downmix audio to 2 channels when transmitting data 
over the network. 


Another important moment is that we US@€ access=http 
(instead Of access=udp IN previous examples). With 
access=udp, VIAEOLAN pushes the stream to the desired 
address. With access=nhttp it acts as a server by itself. 

That's why on our remote machine we'll have to use the 
following command line: 
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vle http://10.0.2.1:10005 


The above command will connect to the VideoLAN 
started on the home machine and will stream transcoded 
data from it. 


Scenario 4 
Transcode the movie to be played on iPhone. 

This is fairly common. There are tons of tools that can 
do this. Still it's worth pointing out that you can also use 
VideoLAN for iPhone-targeted transcoding. here’s the 
command line you need: 


vic in.avi --sout="#transcode {width=320,canvas-height=240, 
vcodec=mp4v, vb=768, acodec=mp4a, ab=96, channels=1,audio- 


sync} :std{access=file, mux=mp4, dst=\"out.mp4\"}” 


This example is also fairly straight-forward. However, we 
use some new options here: 


¢ width — resize the video to have a given width 

¢ canvas-height — note that we use it and not just 
height. When you use canvas-height, |f the video 
cant be resized to a given height without changing its 
aspect ratio, it will be padded with black stripes. 

¢ audio-sync — it will insert additional frames or drop 
some frames in order for video and audio to be 
perfectly synced. Useful to avoid potential synchro- 
nization problems. 


It's also worth noting that we uSe access=file aS Our Output 
and MP4 as container format. 

lf we run the above command, VideoLAN will start 
converting the stream as fast as possible — this is because 
we haven't specified display in our pipeline — so VideoLAN 
can process video faster than in realtime. 


Four scenarios described above show the power of 
VideoLAN’s video and audio processing abilities. 
However, VideoLAN can do a lot more. For example, 
it has pluggable interfaces system, which allows you 
to control VideoLAN via text input, window UI, infrared 
remote controller, telnet, irc and so on. But this is 
probably a different topic that will be covered in one of 
the next issues. 


MICHAEL BUSHKOV 
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committer. He is one of the main contributors of FreeBSD’s 
nsswitch caching daemon (nscd) implementation. 
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NetBSD Intrusion 
Detection Server 


How can we describe the functions of such a server? 


Sometimes special type of systems are needed to be running on 
the server. This server will serve different purposes, it will take 


care of the network security. 


What you will learn... 

¢« How to run snort Intrusion Detection System on your machine. 

- If you have previously bad experience with hackers, intruders, 
now you have the opportunity to detect such intruders. 

¢ What an IDS is and how it works. 


buy super-duper highly expensive IDS (Intrusion 

Detection System) machines, | will show you how 
to prepare such a custom made machine with a usual 
server. We all need IDS machines put in our networks. 
The world, and the internet, have become more hostile 
and sometimes the company’s security depends highly on 
the IDS that is silently processing packets somewhere in 
the network. 

The Intrusion Detection System shortly called IDS is a 
software system designed to help you to detect attempts 
of accessing computer systems through a network. The 
IDS can help us to detect any unusual network activity 
and can alert us about that. The system cannot directly 
detect attacks within properly encrypted traffic but with 
appropriate rules you can have a wider picture of what 
is going to happen in your network or machines. So, the 
better are the rules that the system use the better are 
the detection results. And let’s do not forget that hackers 
become more innovative after every attempt. 

An intrusion detection system is used to detect several 
types of malicious behaviors that can compromise the 
security and trust of a computer system. These types 
of behaviors include network attacks against vulnerable 
services or host based attacks that aims to take control of 
your machines. You and your machines as well as all your 
equipment are targets because most of the hackers want 
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What you should know... 

« What a NetBSD is. A basic knowledge of BSD operating system is 
required. 

« To have bad experience with hackers, intruders. 

« A basic knowledge of networks. 


to gain access to what you have. In order to achieve that 
they may try many ways, such as unauthorized logins and 
access to sensitive files, or using of viruses, trojan horses, 
and worms. 

An IDS can be composed of several components: 
Sensors which generate security events, a Console to 
monitor events and alerts and control the sensors, and a 
central Engine that records events logged by the sensors. 
Also IDS can use several output engines like database, 
log files, pipes or network sockets. Everyone of the output 
engines is useful and has its own benefits. These output 
engines can also affect the performance of the system. Of 
course, it is not the same to log to a local file and to log to 
a central database server. And it is not the same to log to 
a structured local file and plain text file. 


The Operating system of our choice - NetBSD 
The NetBSD is primarily focused on high quality design, 
Stability and performance of the system. | prefer to use 
NetBSD because at first: | am a fan and second: | am 
an enthusiast. But one of the main reasons is that | have 
some small experience with other types of operating 
systems and | know why to use NetBSD. NetBSD is very 
fast and does not need a machine for 100 000 euros just 
to make packet inspection. Some people probably prefer 
FreeBSD or OpenBSD, but | think that NetBSD is perfect 
for that kind of work. 
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The Intrusion Detection System of our choice 

- Snort 

Snort is a free and open source network intrusion 
prevention system (NIPS) and network intrusion detection 
system (NIDS) capable of performing packet logging and 
real-time traffic analysis on IP networks. 

Snort can perform various ways to analyze and detect 
hacking activity. Some of these ways are protocol 
analysis, content searching/matching, also it is used to 
block and detect a variety of attacks and probes, such 
as buffer overflows, stealth port scans, web application 
attacks, SMB probes, or OS fingerprinting attempts. The 
software is mostly used for intrusion prevention purposes, 
by dropping attacks as they are taking place. 

There are several running methods that are available in 
Snort. It can be configured to run in the following modes: 

Sniffer mode. In this mode, Snort simply reads the 
packets off of the network and displays them for you on 
the console. 

Packet Logger mode, which logs the packets to disk. 

Network Intrusion Detection System (NIDS) mode. You 
have complex configuration options, that allow Snort to 
analyze network traffic for matches against a user-defined 
rule set and performs several actions based upon what it 
sees. 


| do not have the intention to describe all the aspects 
of the network security and probably you do not wish 
that, the thing that is my intention to show you is 
how to implement Snort in you NetBSD system. So, | 
intend to show you the things as they are based on my 
experience. On every documentation in the internet you 
can find dry documentation how to use Snort, what its 
options are and what that options mean but there are 
rare information from the real life. And my efforts are 
mostly focused on this. 

An intrusion detection system like Snort is a perfect 
tool to protect you but it should be used properly to take 
maximum effect. | would remark that such a system is 
especially in benefit when is used in combination with 
optimized and highly effective operating system like 
NetBSD. We all know that NetBSD is preferred choice 
for servers with requirement for high reliability. Especially 
in firewalls, gateways or border machines accessible by 
internet. | would like to say that | prefer to use Snort for 
one more thing. The case where | have to protect specific 
services against bug exploitation. Maybe for many people 
is strange how such a system could be used to protect 
services from their own bugs to be exploited, but it is 
possible. Let me show you a real life example from my 
personal experience. 


Listing 1. /nstallation of Snort 


# pkg add snort 
SNOCE=2.025 Ll 
SIO b=2 0 oo 


Creating group "snore! 


Creating user "*"*snort*! 


Uist) okg/share/examples/snort/classification.comiig to /ulsr/pkd/etc/snort/classilication, conic 
usr/pkg/share/examples/snort/gen-msg.map to /usr/pkg/etc/snort/gen-msg.map 
usr/pkg/share/examples/snort/generators to /usr/pkg/etc/snort/generators 


usr/pkg/share/examples/snort/reference.config to /usr/pkg/etc/snort/reference. config 


usr/pkg/share/examples/snort/snort.conf.default to /usr/pkg/etc/snort/snort.conf 


/ 
5 i 
5 / 
5 / 
.5.1: copying /usr/pkg/share/examples/snort/sid-msg.map to /usr/pkg/etc/snort/sid-msg.map 
5 / 
5 /usr/pkg/share/examples/snort/threshold.conf to /usr/pkg/etc/snort/threshold.conf 
5 / 


useradd: Warning: home directory '/nonexistent' doesn't exist, and -m was not specified 
SIMO el, Ol, I elol ony alice 

SHOtE=220. 52 ns COD V ing 

SING NGE = Glen oe LN le Ow Linie| 

SUCNO EZ Goh On Mes KOON TLIC | 

SHOGE—=2.6 

SNOtE=2 055). b-eOp snag 

SHORE=42.0. 5.15: eOpVilag 

SHOES? . 6. 51h COD yung 


usr/pkg/share/examples/snort/unicode.map to /usr/pkg/etc/snort/unicode.map 


The following files should be created for snort-2.8.5.1 


/etc/re.d/snort (m=0755 
/usr/pkg/share/examples/rc.d/snort 


SNEtBSD: MESSAGE, v 1.5 2005/09/14 12:46:52 adrianp Exp $ 
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Listing 2a. Output of running Snort, Initializing Snort 


OUEDPUE Of running “Snort 


Running in IDS mode 


--== Initializing Snort ==-- 
initealizing. OuEpuE Fikigamns: 


Initializing Preprocessors! 


igi eake\ikaly shane, lelible pains Y 


Parsing Rules file /usr/local/etc/snort/snort.cont 


Poutvar kiEEEOR > scdetmed us| 60s) 
FouuVar Voit nie ODEyPOr ls “dened. 072 sel 65535 
Fouuver ORD CHE FORLS Sdcined =: i ts2i | 


Frag3 global config: 

Max Erags: ©5536 

Fragment memory cap: 4194304 bytes 
Frag3 engine config: 


Target-based policy: FIRST 


Beegimieme Mitte tthe si 
Eeagneme tll aims Wimor Used) 7.9 
Fragment Problems: 1 
Stream5 global config: 

Track TCP sessions: ACTIVE 
Max TCP sessions: 8192 
Memcap (for reassembly packet storage): 8388608 
Track UDP Sessions: INACTIVE 

Track ICMP sessions: INACTIVE 
Sereams TEP Policy cong: 
Reassembly Policy: FIRST 

Timeout: 30 seconds 

Waliey ete lee IL 

Opidons: 

Stacve FiluShpoink Sizes: YES 
Reassembly Ports: 

ZIClienk (POOtprink) 

Zo) Clee (| EOOtor IME} 

25 Cliche (POOEOr IME) 

a7 ere mc (HOOr Oe rai 

53 Cliche (FOOkorime:) 


80 cltent (Footprimt) 
TRO clvent (Footer) 
Iii cGltenk {Pooborint) 
13) cltenk (Fookerime) 
126 Cltent "HOODY mr) 
io] “elitenk MCRCOEOr LmME) 
i239 (Clmene VECO or ime) 


143 cClienk (FOOERrInE) 
445 client (Footprint) 


Sls) No lbivemie | lmclene one aighe, 


514 client (Footprint) 
1433 cliche “Pootprint) 
1S71 ‘client (Pootprant) 
2401 client (Footprint) 


3306 client (Footprint) 

Httpinspect Contig: 

GLOBAL CONFIG 

Max Pipeline Requests: 0 

Inspection Type: STATELESS 

Deiter licorsy Usesies No) 

TIS Unicode Map Filename: /usr/local/etc/snort/ 
unicode.map 

IIS Unicode Map Codepage: 1252 

DEFAULT SERVER CONFIG: 

Server profile: All 

Pomter oUcOC0 ca 0 

Flow Depth: 300 

Max Chunk Length: 500000 

Max Header Field Length: 0 

Inspect Pipeline Requests: YES 

URI Discovery Strict Mode: NO 


Disable Alerting: NO 

Oversize Dir Length: 500 

Only inspect URI: NO 

Ascii: YEo alert: NO 

Double Decoding: YES alert: YES 

oU Encoding: YES alert: YES 

Bare Byte: YES alert: YES 

Base36: OFF 

ULE 32 OEE 

1s Unueode: YES alert: YES 
Multiple Slash: YES alert: NO 

PES Backs lasit vESuwalect=) NO 
Directory Traversal: YES alert: NO 
Web Root Traversal: YES alert: YES 
Apache WhiteSpace: YES alert: NO 
TIS Delimiter: YES alert: NO 

IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Non-RFC Compliant Characters: NONE 
Whitespace Characters: 0x09 Ox0b 0x0c 0x0d 
Hoc decode arguments. 

Portus, bo decode RPC ons Till 37771 
elerbyiragmente:) ENACTEVE 
clerrplarde jeragienes . sicily: 

elev ie inconeLete. el iis 


elem mULewels ieSetesies = NET INE 


Portscan Detection Contig: 
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Listing 2b. Showing configuration 


Detece Protocols: ICP UDP ICMP oP FTP Server: default 
Dekeck ocan IYpe: Pork Seam POsweWeep decoy PObtscean Remcs: 2 ib 
dis BEE oubed SOLES can Check tor lelmeu nds i Posalenr. as 
Sensitivity Level: Low Identify open data channels: YES 
Memcap (in bytes): 10000000 FTP Client: default 
Number of Nodes: 36900 Check for Bounce Attacks: YES alert: YES 


Check for Telnet Cmds: YES alert: YES 


Tagged Packet Limit: 256 Max Response Length: 256 

Loading dynamic engine /usr/local/lib/snort/ 
dynamicengine/libsf engine.so... SMEP Contig: 
done POTS (2.8) Sie lool 

Loading all dynamic preprocessor libs from /usr/local/ Inspection Type: Stateful 
iby siere/dymamicpreprocessor/ 22: Normalize: EXPN RCPT VRFY 

Loading dynamic preprocessor library /usr/local/lib/ Ignore Data: No 
Sialic, Chy aici Coxe So @CS Ss s@1/ 7 Iie Ignore TLS Data: No 
SiC yale (PLepLOcessoOr (exalip lens. a. Ignore SMTP Alerts: No 
done Max Command Line Length: Unlimited 

Loading dynamic preprocessor library /usr/local/lib/ Max Specific Command Line Length: 
SOE, GynamlcoLeprocesson, / liber) BORN: S00 EXPN: 255 HELO?500 HELP:500 MAII=260 
deere pGeenOc. so... done REPELS S00) VRE ZS5 

Loading dynamic preprocessor library /usr/local/lib/ Max Header Line Length: Unlimited 
SMOmE, dyMeamuceneo~ocCessou,/ libon | Max Response Line Length: Unlimited 
Ghalss gielsjoniore so 5 = Clots X-Link2State Alert: Yes 

Loading dynamic preprocessor library /usr/local/lib/ Drop on X-Link2State Alert: No 
snort/dynamicpreprocessor//libsf_ Alert on commands: None 


PEP mMee Ore OKOC. 50... a come 


Loading dynamic preprocessor library /usr/local/lib/ DCE/RPC Decoder config: 
SnOmE, Cy Mallconepnocessom /hillc te Autodetect ports ENABLED 
SmED IO reproc so... done SMB fragmentation ENABLED 
Loading dynamic preprocessor library /usr/local/lib/ DCE/RPC fragmentation ENABLED 
snort/dynamicpreprocessor//libsf_ Max Frag Size: 3000 bytes 
SiS JOSS ASO. se Choe Memcap: 100000 KB 
leading dynamic preprocessor library /usr/ local lib/ Alert if memcap exceeded DISABLED 


SiMm@iwie/ Chy aeiil Ces SecOC Ss sO / / Iales is 
SiSil jes Mes SIs a, Clciile DNS <cComiug: 

Finished Loading all dynamic preprocessor libs from /usr/ DNS Client rdata txt Overflow Alert: ACTIVE 
local/lib/snort/dynamicpreprocessor/ Obsolete DNS RR Types Alert: INACTIVE 


FTPTelnet Config: Experimental DNS RR Types Alert: INACTIVE 
ROIS 3 

Inspection Type: stateful Soler wong: 

Check for Encrypted Traffic: YES alert: YES Encrypted packets: not inspected 

Continue to check encrypted data: NO RONaES) - 

TELNET CONFIG: 

HOES Ao 992995 994 995 

Are You There Threshold: 200 

Normalize: YES AP URW eT Lee UIP WRT ET OTE ee TIRE IIRU eC ae ee OTe Ved STR Wea uO ne ea oo eT mn ene 

Detect Anomalies: NO Init talezing rwle chains... 

BLP CONG: 1 Snort rules read 
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Listing 2c. Reading rule chains 


detection rules 
decoder rules 
preprocessor rules 


Option Chains linked into 1 Chain Headers 


aS | oS & [|- 


Dynamic rules 


FHLFFFLFFF LEFT LEFF LEFT FEFTEEFTFEFE + E+E + 444444444444 


Poa Se ee [Rute Port Counts |--~4---—.--45>-55> 

BED! UG” Temp: as 

Sac 0) 0 00 

cic 0 0 0 0 

any i 070 0 

aes IL 1 10) 0) 

sei cl 0) 0) 0) 
aac Cc PR Ne NI gD 
fee Se a Pebiresiciheiiig=-COmnG == aa. s ae — a 
| memory-cap 1048576 bytes 
= ca gal dat [ne lovnersSilaveuli@lalae irre Wel of WL) jp aa 
| none 
JSS a SS Relkecslvedichincml cee, |= a 
| none 
Se a ae SHB SHS SiS 0) 01 i a 
| none 


Rule application order: activation->dynamic->pass-—>drop- 
palleri => lod 

Log directory = /var/log/snort/ 

Verifying Preprocessor Configurations! 

OP our Of 517 Mlowbits im wise. 


kKkx* 


*** interface device lookup found: em0 


kKk* 


Initializing Network Interface em0 


Decoding Ethernet on interface em0 


[ Port Based Pattern Matching Memory |] 
Tie GSO Sicelatela, Chm so ySkbl (ile ans | Sa 
Instances : 4 
Pabueras 9! 769 
Pabtern Chars a2 oy 
Num States : 225 
Num Match States : 69 
10.83Kbytes 
OOK 
eZ 


Memory 


Patterns 


Match bactis 


--== Initialization Complete ==-- 


Pia Pw eNOe el as 

lo) Version. 6-7.) (Budle 6), NeEB Sw 

'''' By Martin Roesch & The Snort Team: http:// 

www.snort.org/team.html 

(Cy "Copyright 19938-2008 Sourcelire Inc.;- et al. 

USing PCRE version: 72.7 2005-05-07 

Rules Engine. 52 poNOkl DETECT VON ENGINE Version i. 
Build 47 

Ereprocessou Object 38 (obey Versvene 0) suuid 

Preprocessor Objects 8 oon Version, lh <Bawid dl 

Preprocessom Object 00 gol Version ey Buri 


Pesce eso Wloqeees iF MINS IMO II Wenes acy Ish <email 10 


Preploceccon Obgecm. sor ONo Version Th —Buald 2 


Preprocessor Object: so VCERPC Version) le he<Builcd ae 


Pueplrecescon Objcer, 2 eUynamie suxaiple Fucprocessor 
Verston 10 =<s unk > 
Not Using PCAP FRAMES 


to Cauchy into Lonel: 


Packet Wire Totals: 
Received: 0 

Analyzed: 0 (0.000%) 
Dropped: 0 (0.000%) 
OUrstandang: 70 (0 2000.) 


Breakdown by protocol (includes rebuilt packets): 
MHe 0 (020005) 
Pondise: 0 (00007) 
VLAN: 0 (0.000%) 
TEVG2 0 (050002) 
PEO EXE 00000) 
EPooors: 0 “(O2000.) 
Izkevelatsres  (0 110) 3 ICOa) 
rea OO 000) 
1PAdise= 0 (0.0007) 
GE oe 0 CO OOUES 
UDO ee 0 OOOO.) 
TEMES > ONO 000.) 
WO M212 | (0) 0, Oe) 
LEO OR COG.) 
UDE: 0 (0.0003) 
LEMP 0 (050002) 

Te Paice: 00000.) 
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Listing 2d. /nitialization Complete 


UDEdrse: 0 (0. 000) 
ECMPdirs= 0) (020007) 
PRAG: 07 (07-0007) 
FRAG 6: 0 (0.000%) 
EAPOL: 0 (0.000%) 
EEHLOOR 0 (0.000%) 
BEX OO: 000) 
OTHER? Oe(02 000.) 
DISCARD: 0 (0.0007) 
invchksSum: “OF (02000: } 
SoG 1 0 (020002) 
SoG 25 (0 (UAW) 
di@iee b= 0 


Ketilen stawss 
ALERTS: 0 
LOGGED: 0 
PAS SIDE (0) 


Brags Subba umes: 
Total Fragments: 0 
Frags Reassembled: 0 
Descards: 10 

Memory Faults: 0 
Timeouts: 0 

Overlaps: 0 
Anomalies: 0 

Alerts: 0 
FragTrackers Added: 0 


FragTrackers Dumped: 0 
FragTrackers Auto Freed: 0 
Frag Nodes Inserted: 0 
Frag Nodes Deleted: 0 


SE Sehis) SHeche asic e Ss | 

HOtal sess vons. 0 

TCP sessions: 0 

UDP sess tons 30 

ICME sessions: 0 

TEP Peunes = 0 

UDP Prunes: 0 

ICMP Prunes: 0 

TCP StreamTrackers Created: 0 
TCP StreamTrackers Deleted: 0 
TCP Timeouts: 0 

TCP Overlaps: 0 

TCP Segments Queued: 0 

TCP Segments Released: 0 

TCP Rebuilt Packets: 0 

TCP Segments Used: 0 

ONCIE Bal svevstietels 310 


UDP Sessions Created: 0 


UDP Timeouts: 0 
UDP Discards: 0 


Events: 0 


Recently | wrote a server application that receives and 
sends data through a port to other clients in the network. 
Nothing special, anybody can write such a daemon to 
do that. Yes, exactly, but | am not a perfect programmer 
and | usually have some bugs in my applications (like 
many developers). In fact, who does not make mistakes? 
Probably the one that does not work... 

So, this server had some weak points and | needed 
to protect it from exploitation of these bugs. Of course 
| had the idea how to fix the bugs but some time to do 
that was needed and for that moment | had no time 
to fix any bug. Instead of that, | had to prepare some 
solution because | needed that server to work and | 
needed it to work correctly. Probably many people can 
say: Of course, fixing the bug is the most appropriate 
solution, after that the server should be ok. Yes, but 
all the applications have bugs and the bugs appear 
progressively. So, let me explain how | used Snort to fix 
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the server. Snort gives me the opportunity to sniff the 
traffic, so | could see the packets and log a message if 
there was an attempt for bug exploitation or | could even 
drop the packet. This is just a small area where Snort 
can be useful. 

Also | would remark the perfect combination of 
NetBSD, its firewall, and Snort, that one can use. This 
combination allows one to use it for a border machines 
where the security is from high importance. | would prefer 
to use it to take the maximum possible protection for my 
network. Let me show you an example with the server 
mentioned before. 3 days after the server started | had 
to analyze the logs and | had totally shocked. The hack 
attempts were sooo many. Actually the server offers 2 
services — SSH and the service of my daemon. There 
were dozens of attempts to login with some usernames 
like melinda,jack, and etc... also | had some attempts 
with the “root” user. Of course, | was prepared for this 
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and | configured Snort to inspect the incoming packets. 
Then | checked the log file from time to time to collect 
new information about the IP addresses that breached 
the line. 

Let's have a look about another situation. | have 
connection to internet, | use pppoe and | see how difficult 
is the life of the ISP of my area. | would advice any internet 
service providers to use Snort. Basically, ISP should 
provides service to all of its customers but there are a lot 
of customers that do not want just to use that service but 
also want to use it for bad things like hacking, stealing 
passwords or some other illegal activity. So, in simple 
words, the ISP has very bad job... The provider also has 
to protect its customers from each other and protect their 
data. Let’s do not forget the threats from the internet and 
if we Summarize all these things together we have the real 
position of the ISP. And | would say that is not that good 
position. From one side the ISP should provide service 
and from the other side this provider should protect the 
customers. 

This is the right place where Snort and NetBSD together 
can fight all of the problems of such ISPs. 


Basically, Snort can be used to detect, stop, and report 
illegal activity and in that case it can make the ISP’s life 
easier. This is just an example how the intrusion detection 
system like Snort can be useful. 

Let’s get Snort to work on our machine (see Listing 1). 

That installed the snort on my system, you should check 
if you need some other packages to be installed, it is 
different for every system, so if the pxg_ aaa program needs 
more packages you should install them as well. 

Then you can focus on your work with snort. Actually 
the work with it is very simple. There is a configuration file 
called snort.conf and several rules files. 

| have the configuration file in /etc/snort.cont and the 
rules are there also. So, all the files are available /etc/ 
snort/ directory. You can use them at any location that you 
want, this is not important. 

To use snort, you will need to perform the following 
steps: 


Step 1. 
In case you don't have pxc rcp scriers set IN your /etc/ 
mk.conf, COPY 


Listing 3. Example detection log 


aa 93600 A esis hogs 


Prioriny: 0 


OxiSS4P 001 Ack 
=> MSS: 1460 


**KAKKS* Seg OxAI22F39E Win 


CIE Oyen aleiors) (IL 
nae 293000) A Test log 


Pigeouc dete yer 0 


FEXAEAEX Seg? Oxlss4r002 Ack: OxAIZ2F3F1l Win 


a POO OS COO TAS resu ghog. = 


ieakevaukiey = 10 


TESRD SES Seqg- Oxiss4n002 Ack? OUxAlZ2F3nI Win 


Na lee Oso 0)) Aa hest log ala 


Priority: 30 


AEXAXX*E Seq: Oxl554F25A Ack: OxA1L22F3F1 Win 


O27 28-18h 53250. (55446 S254 ioe? = Cele 2 Be DAs 3 eyoe2 0300 tens 0x3e 
OZ Ogenki 624 Ce Tino A Os Ux) eZ ei ioken: 20 women :44 
0x2000 TcpLen 


24 


O2/ 20- Ist oo25o. ( Sole0 s22 54 se leo 2 > Bee 2s Br DAs] cyoe 0300 Ment 0x6 
OZR WoC S 123 O02 Wool 4 er ih oe Os U0 ib 7 6a 2 hohe m7 0 sPominc mia 
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/usr/pkg/share/examples/rc.d/snort to 
/etc/rce.d/snort and add 


snort=YES 


Step 2. 
Now start snort by issuing the command 


(etC] TO .ds short stact 


We also can run snort on dry without to start it as a 
service. 
Run Snort with the following command: 


snort -c /path-to-your-config-file -de -l1 /path-to-your-log 


-directory 


That will run snort with configuration file at your path- 
to-your-config-file and log directory at /path-to-your-log- 
directory. 

This is some example output that you should see 
Listing 2. 


Snort exiting 

Run time prior to being shutdown was 3.14117 seconds. 
Some example logs. As you can see the logs have 

information about source, destination ports, and other 

basic information about the packet (see Listing 3). 


Summary 

Any type of an operating system can be used for such 
a server but it should be fast, reliable and secure. The 
performance is very important because IDS is a network 
dependent system and as fast as our server process the 
packets as fast will detect an attack. And as fast it detects 
the attack as fast it will alert other systems about the 
situation. So, in order to achieve this goals, we need a big 
iron and a fast operating system. 


SVETOSLAV CHUKOV 

Svetoslav Chukov/Chukich is a system administrator with 
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What has your server vendor done for 
BSD lately? Probably, not much. 
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Work with a vendor that supports the 
operating system you love! 
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